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IMPACT AND POLICY IMPLICATIONS OF 
SPYWARE ON CONSUMERS AND BUSINESSES 


WEDNESDAY, JUNE 11, 2008 

U.S. Senate, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The Committee met, pursuant to notice, at 3:07 p.m. in room 
SR-253, Russell Senate Office Building, Hon. Mark Pryor, pre- 
siding. 

OPENING STATEMENT OF HON. MARK PRYOR, 

U.S. SENATOR FROM ARKANSAS 

Senator Pryor. Someone out there told me, don’t start being like 
the airlines, being late on everything. So we won’t do that. I’m 
sorry that I was a few minutes late, but I got caught in a previous 
meeting. 

I want to thank Chairman Inouye and Vice Chairman Stevens 
for holding this hearing to review the efforts by industry, the Fed- 
eral Trade Commission, and Congress, to combat spyware and its 
effects on consumers. Specifically, this hearing will look at the im- 
pact of spyware on computer performance, along with privacy and 
security risks associated with this software. 

In particular, the hearing will consider a bill that I filed, S. 1625, 
the Counter Spy Act, and that I introduced with Senator Bill Nel- 
son and Senator Boxer. Also, just to let other Senators and other 
staff know, we thought we’d have this hearing and sit down with 
our bill and see if we can get some other cosponsors and help us 
think through some issues there. So I want to thank all the wit- 
nesses today for being part of that process. 

Spyware is a pervasive problem that really I believe demands 
swift action by Congress to protect American consumers from very 
significant privacy and security risks. There are very few, if any 
that I can determine, legitimate reasons for this practice of having 
spyware in the first place, and there are numbers of reasons why 
we should do something to try to stop spyware. 

Basically, I think our bill needs to do two very important things. 
One is we need a good workable definition of spyware. It’s hard to 
define, but we need to come up with a Federal definition where 
there’s a standard. 

The second thing is we need to come up with some civil penalties 
in the event that someone is out there using spyware in an unau- 
thorized manner. We need to have a civil penalty regime so that 
the FTC knows exactly what they need to do and what steps they 
need to take. 
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I guess the other part that’s kind of implicit in both of those is 
that we need to make sure that whatever we pass is very con- 
sumer-friendly, so consumers know that when spyware is present 
on their system or asking to be loaded or whatever the case may 
be, that the consumers have a chance to stop it from being added 
to their computers in the first place. 

So with that, what I would like to do is ask Senator Vitter if you 
have an opening statement. 

STATEMENT OF HON. DAVID VITTER, 

U.S. SENATOR FROM LOUISIANA 

Senator Vitter. Thank you, Mr. Chairman. I’ll be very brief. 
Thank you for this hearing. This is an extremely important topic. 
I agree with you that it’s a really serious problem that we should 
move absolutely as quickly as possible to address. I certainly want 
to be part of the discussions and the solution. 

That’s the easy part. The tough part is how we do that effec- 
tively. I think the biggest challenge in so many of these issues is 
to come up with legislation that isn’t outpaced or becomes outdated 
by technology in a month or a year. So I believe we should focus 
on passing legislation against improper activity and not be too 
technologically specific, because I think that’s going to end up get- 
ting us in trouble, having unintended consequences, or just being 
outdated relatively soon. 

So I’m very interested in legislation. Some of the things I want 
to avoid is to enact things that would be technology mandates, to 
enact things that might unintentionally hamper the ability of the 
FTC and law enforcement to adopt a technology and that could be 
interpreted so broadly that it would extend beyond unwanted 
spyware to affect all web pages or to affect online transactions that 
folks do want and get some convenience out of. 

So thank you again for this hearing. I look forward to hearing 
from the witnesses and asking questions with the goal of helping 
develop that sort of bipartisan legislation. 

Senator Pryor. Thank you. 

Senator Nelson, I’ll call on you for an opening statement if you’d 
like to make one and then ask you to introduce the first witness. 

STATEMENT OF HON. BILL NELSON, 

U.S. SENATOR FROM FLORIDA 

Senator Nelson. Mr. Chairman, you have to go back to a con- 
ference committee? 

Senator Pryor. Yes. 

Senator Nelson. So I will await your return. 

Senator Pryor. Thank you. 

Senator Nelson [presiding]. Consumer Reports in a recent edi- 
tion had a survey and of the 2,000 people surveyed, one in eleven 
reported a major spyware infection on their computer. These infec- 
tions are costly, may well cost over $100 to fix, and the overall cal- 
culated impact on the economy is $1.7 billion. That’s a figure that’s 
only going to increase. 

So that’s why we filed this legislation. We also hope that the 
Federal Trade Commission and other law enforcement agencies are 
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going to take further action to pursue to the maximum extent pos- 
sible foreign spyware developers. 

Now, in another arena, in the intelligence arena, in the defense 
arena, we have a particular concern which is not the subject of the 
discussion here today. But clearly that overlays the problem that 
we’re talking about on consumers today. 

So we are delighted to have Ms. Eileen Harrington, Deputy Di- 
rector of the Bureau of Consumer Protection at the FTC. So, Ms. 
Harrington, your presentation, please. Your lengthy statement will 
be a part of the record, so if you would just summarize, and then 
we’ll get right into the questions. Thank you. 

STATEMENT OF EILEEN HARRINGTON, DEPUTY DIRECTOR, 

BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE 

COMMISSION 

Ms. Harrington. Thank you very much, Senator Nelson and 
Chairman Pryor and Members of the Committee. I am Eileen Har- 
rington. 

Spyware and other malware causes substantial harm to con- 
sumers and to the Internet as a medium of communication and 
commerce. Protecting consumers from this harm is a priority for 
the Federal Trade Commission and we thank you for giving us the 
opportunity to appear here today to talk about the FTC’s activity 
in this area and to comment on S. 1625, the Counter Spy Act, 
which was introduced by Senator Pryor, Senator Boxer, and Sen- 
ator Nelson. 

Since 2004 the FTC has brought 11 spyware-related law enforce- 
ment actions and, while we certainly haven’t solved the spyware 
problem, our law enforcement efforts have, we believe, had an ef- 
fect and have reduced the prevalence of pop-up ads generated by 
nuisance adware. Our spyware law enforcement actions reaffirmed 
three key principles. 

The first is that a consumer’s computer belongs to him or her, 
not to the software distributor, and it must be the consumer’s 
choice whether or not to install software. This principle reflects the 
basic common sense notion that Internet businesses are not free to 
help themselves to the resources of a consumer’s computer. 

The second principle articulated in our enforcement work is that 
buried disclosures of material information necessary to correct an 
otherwise misleading impression are not sufficient, just as they 
have never been sufficient in more traditional areas of commerce. 
Specifically, burying material information in an End User License 
Agreement will not shield a spyware purveyor from Section 5 liabil- 
ity. 

The third principle underscored by our work is that if a dis- 
tributor puts a program on a computer that the consumer does not 
want the consumer should be able to uninstall or disable it. 

As in so many other areas, cooperation among law enforcement 
agencies is vital to successful enforcement in the spyware area. 
Many of the worst abuses connected with spyware are criminal ac- 
tivity in nature and we at the FTC coordinate very closely with our 
colleagues at the Department of Justice to see to it that these 
criminals are prosecuted. The FTC also coordinates closely with 
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State law enforcement partners who bring enforcement actions 
against spyware distributors. 

Now, in addition to engaging in law enforcement and coordi- 
nating with others in the enforcement community, the FTC has 
made consumer education a priority. In September 2005, the FTC 
formed a partnership with other Federal agencies in the technology 
industry to launch a multimedia interactive consumer education 
initiative, OnGuard Online. The OnguardOnline.gov website now 
attracts over 350,000 unique visits each month and many organiza- 
tions have taken the OnGuard Online materials for their own secu- 
rity training. The comprehensive website has general information 
on online safety as well as sections with specific information on a 
range of topics, including spyware. 

Turning to the bill under discussion, S. 1625, we would make two 
points. First, although we have successfully used Section 5 of the 
FTC Act to challenge conduct related to spyware distribution under 
Section 5, legislation authorizing the Commission to seek civil pen- 
alties in spyware cases would provide a welcome addition to rem- 
edies available to us. Currently under Section 13(b) of the FTC Act 
we have authority to file actions in Federal district court and to ob- 
tain injunctive and equitable monetary relief in the form of con- 
sumer redress or disgorgement. In spyware cases, however, restitu- 
tion or disgorgement may be neither appropriate nor sufficient 
remedies because consumers often have not purchased a product or 
a service from the defendants, the harm to consumers may be very 
difficult to quantify, or the defendant’s profits may be slim or dif- 
ficult to calculate with certainty. In such cases a civil penalty may 
be a far better remedy and serve as a stronger deterrent. 

Second, under general consumer protection principles and tradi- 
tional Section 5 jurisprudence, the Commission need not show 
knowledge or intent in order to obtain injunctive relief, but several 
sections of S. 1625 impose an overarching knowledge or intent 
threshold for enforcement that could create a higher and more dif- 
ficult evidentiary burden for the FTC in obtaining injunctions in 
civil spyware cases. 

Section 5(m)(l) of the FTC Act already requires that the Com- 
mission prove knowledge in any civil penalty action. Eliminating 
the knowledge or intent threshold from S. 1625 would not change 
the Commission’s elevated burden regarding civil penalties, but it 
would maintain the ordinary burden that we have to meet in order 
to obtain injunctive relief. So we would recommend that change. 

I thank you for focusing your attention on this important issue 
and giving us the opportunity to discuss the Commission’s enforce- 
ment record. Thank you. 

[The prepared statement of Ms. Harrington follows:] 

Prepared Statement of Eileen Harrington, Deputy Director, 

Bureau of Consumer Protection, Federal Trade Commission 

I. Introduction 

Chairman Pryor and members of the Committee on Commerce, Science, and 
Transportation, I am Eileen Harrington, Deputy Director of the Bureau of Con- 
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sumer Protection of the Federal Trade Commission (“Commission” or “FTC”). 1 
Spyware and other malware can cause substantial harm to consumers and to the 
Internet as a medium of communication and commerce. Protecting consumers from 
such harm is a priority for the Commission, and the agency thanks this Committee 
for the opportunity to describe what the FTC is doing in this area and to provide 
input on S. 1625, the “Counter Spy Act” introduced by Senators Pryor, Boxer, and 
Nelson. 

This written statement provides background on the Commission’s active program 
to address concerns about spyware and other malware, which includes law enforce- 
ment actions and consumer education efforts. First, it discusses the Commission’s 
three key principles related to spyware as illustrated by the eleven spyware-related 
law enforcement actions the agency has initiated to date. Second, the statement 
highlights the Commission’s consumer education efforts on spyware. Third, the 
statement offers the Commission’s views on the proposed legislation, S. 1625. 

The Commission has a broad mandate to prevent unfair methods of competition 
and unfair or deceptive acts or practices in or affecting commerce. 2 Although it is 
often challenging to locate and apprehend the perpetrators, the FTC has success- 
fully challenged the distribution of spyware that causes injury to consumers online. 

Spyware and other malware that is downloaded without authorization can cause 
a range of problems for computer users, from nuisance adware that delivers pop- 
up ads, to software that causes sluggish computer performance, to keystroke loggers 
that capture sensitive information. As described below, the Commission has an ac- 
tive program to address concerns about spyware and other malware, including law 
enforcement and consumer education. Since 2004, the Commission has initiated 
eleven spyware-related law enforcement actions. 3 While the problem of spyware has 
not been solved, our cases have had a significant effect and, based on our investiga- 
tive experience, we believe the prevalence of pop-up ads generated by nuisance 
adware has been dramatically reduced. 

II. Spyware Law Enforcement 

A. FTC Cases 

The Commission’s spyware law enforcement actions reaffirm three key principles. 
The first is that a consumer’s computer belongs to him or her, not to the software 
distributor, and it must be the consumer’s choice whether or not to install software. 
This principle reflects the basic common-sense notion that Internet businesses are 
not free to help themselves to the resources of a consumer’s computer. For example, 
in FTC v. Seismic Entertainment Inc., 11 and FTC v. Enternet Media, Inc., 5 the Com- 
mission alleged that the defendants unfairly downloaded spyware to users’ com- 
puters without the users’ knowledge, in violation of Section 5 of the FTC Act. Stipu- 
lated permanent injunctions were entered against the defendants in both matters, 
and defendants were ordered to disgorge more than $6 million, combined. 

The second principle is that buried disclosures of material information necessary 
to correct an otherwise misleading impression are not sufficient, just as they have 
never been sufficient in more traditional areas of commerce. Specifically, burying 
material information in an End User License Agreement will not shield a spyware 
purveyor from Section 5 liability. This principle was illustrated in FTC v. Odysseus 
Marketing, Inc. 5 and Advertising.com, Inc. 1 In these two cases, the Commission’s 
complaint alleged (among other violations) that the defendants failed to disclose 
adequately that the free software they were offering was bundled with harmful soft- 
ware programs. The orders entered in both cases require the defendants to disclose 
properly the effects of software programs that they offer in the future. 

The third principle is that, if a distributor puts a program on a computer that 
the consumer does not want, the consumer should be able to uninstall or disable 


iThe written statement presents the views of the Federal Trade Commission. Oral statements 
and responses to questions reflect the views of the speaker and do not necessarily reflect the 
views of the Commission or any Commissioner. 

2 15U.S.C. §45. 

3 Detailed information regarding each of these law enforcement actions is available at 
http:/ / www.ftc.gov/bcp / edu / microsites / spyware / law enfor.htm. 

4 FTC v. Seismic Entertainment, Inc., No. 04-377-JD, 2004 U.S. Dist. LEXIS 22788 (D.N.H. 
Mar. 22, 2006), available at http:/ / www.ftc.gov / os / caselist / 0423142 / 0423142. shtm. 

5 FTC v. Enternet Media, Inc., CV 05-7777 CAS (C.D. Cal., Aug. 22, 2006), available at 
http .7 / www.ftc.gov / os / caselist / 0523135 / 0523135. shtm. 

6 FTC v. Odysseus Marketing, Inc., No. 05— CV— 330 (D.N.H. Oct. 24, 2006) (stipulated perma- 
nent injunction), available at http: II www.ftc.gov / os / caselist / 0423205 / 0423205. shtm. 

1 In the Matter of Advertising.com, Inc., FTC Dkt. No. C-4147 (Sept. 12, 2005) (consent order), 
available at http:/ / www.ftc.gov / os / caselist / 0423196 / 0423196. shtm. 
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it. This principle is underscored by cases against Zango, Inc. 8 and DirectRevenue 
LLC. 9 These companies allegedly provided advertising programs, or adware, that 
monitored consumers’ Internet use and displayed frequent, targeted pop-up ads — 
over 6.9 billion pop-ups by Zango alone. According to the Commission’s complaints, 
the companies deliberately made these adware programs difficult for consumers to 
identify, locate, and remove from their computers, thus thwarting consumer efforts 
to end the intrusive pop-ups. Among other relief, the consent orders require Zango 
and DirectRevenue to provide a readily identifiable means to uninstall any adware 
that is installed in the future, as well as to disgorge $3 million and $1.5 million, 
respectively. 

Similarly, in FTC v. Digital Enterprises, Inc., 10 the Commission alleged that the 
defendants installed software onto consumers’ computers that repeatedly launched 
text and video pop-ups that consumers could not close or minimize. These pop-ups 
demanded payment for access to the defendants’ purported entertainment websites. 
Among other relief, the September 2007 stipulated permanent injunction requires 
the defendants to provide a way for consumers to remove the software, bars future 
downloads without consumer consent, and requires the defendants to pay more than 
$500,000 for consumer redress. 

In addition, the agency’s law enforcement efforts have alerted the Commission to 
novel spyware-related consumer protection issues such as the marketing of bogus 
anti-spyware programs. For example, in FTC v. MaxTheater, Inc. 11 and FTC v. 
Trustsoft, Inc., 12 the FTC alleged that the defendants made false claims to con- 
sumers about the existence of spyware on their machines and then used these false 
claims to convince consumers to conduct free “scans” of their computers. These 
scans would identify innocuous software as spyware, helping to persuade consumers 
to purchase the defendants’ spyware removal products at a cost of between $30 and 
$40. Moreover, the FTC alleged, the defendants claimed their spyware removal 
products could effectively uninstall many different types of known spyware pro- 
grams, but the defendants’ products did not perform as promised. In both cases, 
courts entered stipulated permanent injunctions prohibiting the claims and requir- 
ing the defendants to disgorge a total of nearly $2 million. 

B. Cooperation with Department of Justice and State Law Enforcement 

As in so many other areas, cooperation among law enforcement agencies is vital 
to successful law enforcement in the spyware arena. Many of the worst abuses con- 
nected with spyware are criminal, 13 and, in appropriate cases, the Commission co- 
ordinates closely with the Department of Justice. For example, in FTC v. ERG Ven- 
tures, LLC, 11 the FTC’s complaint alleged that the defendants secretly downloaded 
multiple malevolent software programs, including spyware, onto millions of com- 
puters without consumers’ consent. The defendants also allegedly tricked consumers 
into downloading harmful software by hiding the malicious programs within seem- 
ingly innocuous free software. The U.S. Attorney’s Office for the District of Colum- 
bia launched a parallel criminal investigation, and executed search warrants simul- 
taneously with the filing of the FTC’s civil case. 15 

The Commission also coordinates with state partners who bring their own law en- 
forcement actions against spyware distributors. The FTC has established a Federal- 
state spyware law enforcement task force to discuss issues and trends in spyware 
law enforcement. The task force consists of representatives from agencies such as 


8 In the Matter of Zango, Inc. flkla 180 Solutions, Inc., FTC Dkt. No. C-4186 (Mar. 7, 2007), 
available at http :/ / www.ftc.gov / os / caselist / 0523130 / index.shtm. 

9 In the Matter of DirectRevenue LLC, FTC Dkt. No. C-4194 (June 26, 2007), available at 
http:! / www.ftc.gov 1 os / caselist / 0523131 /index.shtm. 

1° FTC v. Digital Enterprises, Inc. d/b/a Movieland.com, CV06— 4923 (C.D. Cal. Sept. 5, 2007), 
available at http:/ / www.ftc.gov / os / caselist / 0623008 / index.shtm. 

1 1 FTC v. MaxTheater, Inc., No. 05— CV— 0069 (E.D. Wa. Dec. 6, 2005), available at 
http:/ / www.ftc.gov / os / caselist / 0423213 / 0423213. shtm. 

1 2 FTC v. Trustsoft, Inc., No. H-05-1905 (S.D. Tex. Nov. 30, 2005), available at 
http .7 / www.ftc.gov / os / caselist / 0523059 / 0523059. shtm. 

13 See, e.g., Department of Justice, Computer Crime & Intellectual Property Section, Computer 
Crime News Releases, available at http:/ / www.usdoj.gov / criminal / cybercrime / ccnews.html. 

14 FTC v. ERG Ventures, LLC, 3:06-CV-00578-LRH-VPC (D. Nev. Oct. 3, 2007), available at 
http : / lwww.ftc.gov / os / caselist / 0623192 / index.shtm. Pursuant to the stipulated order entered 
by the court in the FTC action, the defendants must disgorge $330,000. A permanent injunction 
also bars the defendants from downloading software onto consumers’ computers without dis- 
closing its function and obtaining consumers’ consent prior to installation, bars them from 
downloading software that interferes with consumers’ computer use, and bars false or mis- 
leading claims. 

15 See FTC News Release, Court Shuts Down Media Motor Spyware Operation (Nov. 13, 2006), 
available at http:/ / www.ftc.gov / opa / 2006 / 11 / mediamotor.shtm. 
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the Department of Justice and state attorneys general. Federal criminal and state 
law enforcement actions are a critical complement to the FTC’s law enforcement ac- 
tions. 

III. Education 

In addition to engaging in law enforcement, the FTC has made consumer edu- 
cation a priority. In September 2005, the Commission and a partnership of other 
Federal agencies and the technology industry launched a multimedia, interactive 
consumer education initiative, OnGuard Online, along with a Spanish-language 
version, AlertaenLinea. The OnGuardOnline.gov site now attracts over 350,000 
unique visits each month, and many organizations have adapted the OnGuard On- 
line materials for their own security training. The comprehensive website has gen- 
eral information on online safety, as well as sections with specific information on 
a range of topics, including spyware. The spyware module includes up-to-date infor- 
mation, as well as interactive features like quizzes and videos. As part of the 
OnGuard Online initiative, the FTC also has distributed a million copies of the bro- 
chure and two million copies of the bookmark, “Stop Think Click: 7 Practices for 
Safer Computing,” with information on spyware and other computer safety topics. 
The FTC also has issued a Consumer Alert on spyware, as well as Alerts addressing 
other online security issues such as viruses and peer-to-peer file sharing. 16 

IV. Legislative Steps to Address Spyware 

Although the FTC has successfully challenged conduct related to spyware dissemi- 
nation under Section 5, legislation authorizing the Commission to seek civil pen- 
alties in spyware cases could add a potent remedy to those otherwise available to 
the Commission. Currently, under Section 13(b) of the FTC Act, the Commission has 
the authority to file actions in Federal district court and to obtain injunctive relief 
and equitable monetary relief in the form of consumer redress or disgorgement. It 
has been the agency’s experience in spyware cases, however, that restitution or 
disgorgement may not be appropriate or sufficient remedies because consumers 
often have not purchased a product or service from the defendants, the harm to con- 
sumers may be difficult to quantify, or the defendants’ profits may be slim or dif- 
ficult to calculate with certainty. In such cases, a civil penalty may be the most ap- 
propriate remedy and serve as a strong deterrent. Accordingly, the Commission is 
pleased that S. 1625 provides the Commission this valuable law enforcement tool. 

Last June, FTC staff provided this Committee with technical comments to S. 
1625. Of the various suggestions respectfully made by staff, one important aspect 
of the bill relating to both injunctive relief and civil penalties stands out. Under gen- 
eral consumer protection principles and traditional Section 5 jurisprudence, the 
Commission need not show knowledge or intent in order to obtain injunctive relief: 
that is, for stopping the violative conduct itself. But, several sections of S. 1625 im- 
pose an overarching knowledge or intent threshold for enforcement that could create 
an additional — and often very challenging — evidentiary burden for the FTC in ob- 
taining injunctions in civil cases. Moreover, Section 5(m)(l) of the FTC Act already 
requires the Commission to prove knowledge in any action where civil penalties are 
sought. Eliminating the knowledge or intent threshold from the bill would not 
change the Commission’s elevated burden regarding civil penalties, while maintain- 
ing the ordinary burden for obtaining injunctive relief. 17 The agency looks forward 
to working with the Committee regarding the knowledge and intent aspects of the 
legislation, as well as any of the other important considerations raised by staffs 
technical comments. 

V. Conclusion 

The FTC will continue its aggressive law enforcement and innovative consumer 
education programs in the spyware arena. The FTC thanks this Committee for fo- 
cusing attention on this important issue, and for the opportunity to discuss the 
Commission’s law enforcement program. 


16 See. e.g., P2P File-Sharing: Evaluate the Risks (Feb. 2008), available at http:j lwww.ftc.gov / 
bcp/edu /pubs /consumer /alerts /altl28.shtm; Botnets and Hackers and Spam (Oh, My!) (June 
2007), available at http://www.ftc.gov/bcpledu/pubs/consutner/alerts/altl32.shtm, Spyware 
{July 2005), available at http://www.ftc.gov/bcp/conline/pubs/alerts/spywarealrt.shtm:, Detect, 
Protect, Dis-infect: Consumers Online Face Wide Choices in Security Products (Sept. 2004), avail- 
able at http://www.ftc.gov/bcp/conlinelpubs/alerts/idsalrt.shtm; see generally http:/ / 
www.ftc.gov / bcp / menus / consumer / tech / privacy, shtm. 

17 Indeed, removing the knowledge or intent requirements from S. 1625 would be consistent, 
for example, with the approach in the CAN— SPAM Act. See 15 U.S.C. § 7706(e) (granting the 
FTC authority to seek cease-and-desist orders and injunctive relief without alleging or proving 
knowledge). Spam raises similar enforcement issues to spyware regarding quantifying consumer 
injury and defendants’ profits. 
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Senator Nelson. Senator Vitter? 

Senator Vitter. Thank you, Mr. Chairman. 

Thank you very much for your testimony. In October 2005, then 
Chairman Majoras had a discussion with Senator Allen about these 
issues and I believe Senator Allen asked if new notice and consent 
requirements would help combat spyware. The then Chair testified 
that she didn’t think that it would do so because studies showed 
the more consumers are bombarded with disclosure and consent re- 
quirements the more they don’t read them and sort of let them 
pass by and ignore them. What’s your reaction to that question? 

Ms. Harrington. I think probably our view has not changed, 
but, more importantly, I think the nature of the spyware problem 
has shifted some, from the sort of pervasive pop-up and nuisance 
ads that adware brought us, to far more malicious and malevolent 
consequences from spyware. 

I think that it’s very unlikely that criminals using spyware to 
take over consumers’ computers and cause them to do bad things 
would comply with notice requirements. These are criminals and 
their stock in trade is to sneak around. 

Senator Vitter. OK. What do you think our general approach 
should be in terms of how technology specific we have to be or to 
what extent we can avoid that? 

Ms. Harrington. Well, we certainly know from what is really a 
very brief period of time during which the Internet has operated 
as a principal method of commerce that the technology shifts very 
quickly. To the extent that the Congress chooses to legislate in this 
area, I recommend staying away from specific technology and fa- 
voring broad principles like those that are found in Section 5 of the 
FTC Act, which as an enforcement tool has proven over the decades 
to be a marvelously flexible and resilient statute. The FTC Act was 
adopted in the earlier part of the 20th century and it has stood us 
very well. It is the statute that we have used to stop spyware pur- 
veyors in 11 enforcement actions. That kind of flexibility in a stat- 
ute is very helpful when the technology changes virtually over- 
night. 

Senator Vitter. OK, that’s all I have right now, Mr. Chairman. 

Senator Nelson. Ms. Harrington, you note that one of the Com- 
mission’s spyware enforcement principles is a consumer should be 
able to uninstall or disable unwanted spyware. In the Zango and 
DirectRevenue consent orders, this principle was interpreted requir- 
ing those parties to provide a readily identifiable means to 
uninstall. How is that readily identifiable means identified? How is 
it defined? 

Ms. Harrington. The order sets the standard. The test is wheth- 
er a reasonable consumer having the experience of having that 
software loaded onto his or her computer can readily see how it is 
that it can be uninstalled. It’s really a reasonable consumer stand- 
ard that’s incorporated in those orders. 

Senator Nelson. So it’s not a case by case analysis? 

Ms. Harrington. Well, do you mean for purposes of complying 
with that order, Senator, or across the board? 

Senator Nelson. Of defining it. 

Ms. Harrington. Well, we would always look case by case to see 
whether — but employing the reasonable consumer standard. That 
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is how the Commission proceeds also in using Section 5 as an en- 
forcement tool and it is how the courts have interpreted Section 5 
and ordered relief. 

Senator Nelson. Do you need to include an operating system 
toolbar? 

Ms. Harrington. Do you need to? 

Senator Nelson. Does the readily identifiable means need to in- 
clude an operating system toolbar? 

Ms. Harrington. I’m going to turn to one of our lawyers who’s 
right behind me who worked on that case. 

Senator Nelson. Does the 

Ms. Harrington. I don’t want to give a wrong answer. 

Senator Nelson. OK, come on up. 

Ms. Harrington. It doesn’t necessarily require a toolbar, Sen- 
ator, but we would generally think that the consumer would look 
to the add-remove function to find and remove the software. Or 
there could be a link that the consumer could use to get to the add- 
remove. 

Senator Nelson. And if it’s another kind of spyware, there would 
be another kind of toolbar to remove? 

Ms. Harrington. Any software that would be loaded onto the 
consumer’s computer would need to be easily found and removed. 
I think generally we would expect that it would be very apparent 
when the add-remove function is chosen. But a link would work as 
well. 

Senator Nelson. Do you think some clear rules or definitions 
might be helpful to consumers so that they would know where to 
look for this uninstall tool? 

Ms. Harrington. I think that generally, that the standard that 
requires that it be readily apparent and useable would be a better 
standard in a situation where the technology and format are 
changing frequently. So I would be concerned about tying by rule 
to a particular technique for removal. I think that the better ap- 
proach would be to require that it be readily apparent and acces- 
sible to consumers, and we would assume that over time what that 
means would change; in very specific terms what it means would 
change with the technology. 

Senator Nelson. What if the spyware is a keystroke logger and 
it’s capturing all of the keystrokes that the computer user uses, 
such as it is trying to get passwords or personal information? 

Ms. Harrington. Well, that’s criminal. 

Senator Nelson. It is. But what about a toolbar to remove that? 
How would you go about that? 

Ms. Harrington. How would I go about that? I think that it 
would be unlikely, frankly, that someone installing a keystroke 
logger would willingly put a clear and apparent tool right before 
the consumer to alert him or her to the fact that the keystroke 
logger has been loaded on and to allow them to remove it. The 
whole purpose of that kind of software is to surreptitiously steal in- 
formation from consumers. 

Senator Nelson. So how does the consumer clean his computer 
of that spyware? 

Ms. Harrington. It may be that the consumer’s security pro- 
gram that presumably includes a scan function that can be regu- 



10 


larly run, will identify that program. Typically, when you run those 
kinds of scans you get a box with a report that tells you what you 
have and it’s really easy to remove. 

If the software can’t be detected by those kinds of programs, and 
the really bad stuff that we’re talking about oftentimes flies under 
that radar, the consumer may not be able to discern its presence 
on his or her computer until something really bad happens, and 
then the consumer has to backtrack to try to figure out how his or 
her information fell into the hands of bad guys. It may be very 
tough for consumers to know that they have that kind of software 
on their computer. 

Senator Nelson. What percentage of the spyware do you think 
currently originates outside of the United States? 

Ms. Harrington. We don’t have a way of measuring that, but 
we certainly know that there are problems with malevolent soft- 
ware that shows up through spyware, through e-mail on people’s 
computers. We know that there are big problems with that kind of 
material originating outside of the United States. But we don’t 
have a way of measuring it, just as we don’t have a way of meas- 
uring the totality of spyware that’s loaded onto consumers’ com- 
puters, whether it comes from within or outside of the United 
States. 

Senator Nelson. Do we need to give the FTC new tools to go 
after these foreign bad actors? 

Ms. Harrington. Well, we’re very grateful to the Congress for 
having given us some new tools a couple of years ago in the U.S. 
SAFE WEB Act. We have enhanced authority now to share infor- 
mation with foreign counterparts and obtain information from 
them, and we are using it in nonpublic investigations all the time, 
and we’re most appreciative of the Congress for giving us those au- 
thorities. 

Senator Nelson. So we have enough? We don’t need more? 

Ms. Harrington. We’re in good shape now, thank you. 

Senator Nelson. How well do commercial anti-spyware applica- 
tions work? 

Ms. Harrington. Well, some work well and some don’t work 
well. Some anti-spyware applications are actually hawked by 
crooks to put more spyware on your computer instead of taking it 
off. So there’s quite a spectrum of performance. But the reputable 
software companies that are selling anti-virus and security soft- 
ware sell reasonably good products, and if you visit our 
OnGuardOnline website, we recommend that everyone make sure 
to have good security programs on their computer and run them 
regularly. 

Senator Nelson. Well, the government and the commercial anti- 
spyware providers seem to have been talking for quite a while now 
and still the message isn’t getting out to a lot of consumers. How 
can we do it better? 

Ms. Harrington. Well, first of all, we would urge everyone, 
every government and commercial entity that cares about this to 
have a link to OnGuardOnline right on their website. It is a very 
consumer-friendly site with really easy-to-understand and use di- 
rections about how to protect your computer from a host of bad 
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things and how to prevent oneself from experiencing bad experi- 
ences in the online environment. 

So help us get the message out. I think that to the extent that 
the manufacturers of anti-spyware software and other security 
products can continue to make these products very user friendly, 
anything that we can do to encourage movement in that direction 
is a good thing. These products have become far more user friendly. 
I know, I can actually use them reasonably well myself now and 
I used to find them to be quite difficult. 

Senator Nelson. Yesterday’s New York Times carried a story 
about the Attorney General of New York going after child pornog- 
raphy and it seemed like an inventive way that he was doing it, 
by going and holding the people who convey the information ac- 
countable. First of all, would you comment on what it is, explain 
it, and then tell us what you think about it? 

Ms. Harrington. Well, I’ve read the same press accounts that 
you have. That’s what I know about this. But my understanding is 
that the agreement that the attorney general of New York entered 
into is with three large ISPs, and the ISPs have agreed to block 
their users from accessing sites that have been identified as con- 
taining child pornography material. 

This is an agreement or a settlement. I don’t know what the un- 
derlying legal theory is. I noted in some of the press accounts that 
I read this morning that some are raising First Amendment con- 
cerns. Beyond that, I really don’t know more about that agreement. 

Stepping back, there are certainly times when companies that 
operate portals or control the means of access have been able to 
step up and use that influence and leverage to shut off or discour- 
age bad activity. That’s not a new approach. I really don’t know 
about this particular settlement and how effective it will be at 
eliminating the problem that they’re seeking to address. 

Senator Nelson. Senator Vitter? 

Senator Vitter. I’m fine. Thank you, Mr. Chairman. 

Senator Nelson. Well, Ms. Harrington, thank you very much for 
your testimony. 

Ms. Harrington. Thank you, Senator. 

Senator Nelson. We would ask the second panel to please come 
up. 

We are very pleased to have Mr. Arthur Butler, who is with the 
Americans for Fair Electronic Commerce Transactions; Mr. Jerry 
Cerasale, who is Senior Vice President, Government Affairs with 
Direct Marketing Association; Mr. Marc Rotenberg, Executive Di- 
rector, the Electronic Privacy Information Center; Dr. Benjamin 
Edelman, who is at the Harvard Business School; Mr. Vincent 
“WAE-fer” 

Mr. Weafer. “WEE-fer.” 

Senator Nelson. “WEE-fer,” who is Vice President, in Security 
Response with the Symantec Corporation, and on behalf also of the 
Business Software Alliance. 

We’ll start in the order that you are listed on the agenda. Mr. 
Butler. And what I want you to do, I don’t want you to sit here 
and read a statement to us. We’re going to take your printed state- 
ments. That’s going to be a part of the record. So what we want 
you to do is talk to us. 
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So, Mr. Butler. 

STATEMENT OF ARTHUR A. BUTLER, ATTORNEY, ATER WYNNE 

LLP, ON BEHALF OF AMERICANS FOR FAIR ELECTRONIC 

COMMERCE TRANSACTIONS (AFFECT) 

Mr. Butler. Good afternoon. My name is Art Butler. I’m an at- 
torney with the Ater Wynne law firm in Seattle, Washington, and 
I’m here today on behalf of AFFECT, which is a diverse group of 
nonprofits and commercial entities, including consumer groups, 
who are firmly committed to promoting the growth of fair and com- 
petitive transactions in software and other digital products. 

I first wanted to commend Senator Pryor and the other cospon- 
sors of the Counter Spy Act for introducing what we think is a very 
important piece of legislation and for holding this hearing, because 
you, like the members of AFFECT, are very worried about the pri- 
vacy and security issues that are presented by spyware. 

As our long statement indicates, we firmly support S. 1625 be- 
cause we believe that spyware is an insidious problem that des- 
perately needs to be addressed. The sad fact is that every computer 
in the United States is under attack from numerous sources that 
are trying to surreptitiously install or prevent the removal of 
spyware programs that will allow the spies to intercept or gain par- 
tial control of the user’s interaction with his or her computer with- 
out obtaining the user’s informed consent. 

Often the spyware that is introduced contains what are called 
back doors, which essentially are ways in which a computer spy 
can get around normal authentication and remotely gain control 
over the computer and avoid detection. Once someone gains control 
of your computer, they can install all kinds of different devices to 
compromise the security of that computer. In fact, it is generally 
agreed that spyware represents a significant threat to the security 
of any user’s computer system and data. 

While we support the bill, we do have a major concern with the 
exceptions section of the bill. That is due to, one, the fact that real- 
ly we don’t see that any of the exceptions that are listed there are 
really needed or justified. But we’re particularly concerned about 
the exception in subsection 6(a)(10) which would permit a provider 
to monitor or interact with a computer in order to prevent or detect 
the unauthorized use of software, fraudulent or other illegal activi- 
ties. 

We think this language is overly broad and it would in effect per- 
mit or protect activities which could be harmful to computer users 
in direct opposition to the objective of the bill. It would in effect 
allow a software vendor to freely monitor everything that’s on a 
user’s computer, essentially setting them up as an ad hoc police 
force to conduct warrantless searches and seizures. We don’t think 
that private entities should be allowed to engage in law enforce- 
ment activities. 

The most troubling fact to us is the fact that that language 
would permit a software vendor to unilaterally remotely disable the 
software on a computer or to disable a network connection or serv- 
ice. Often the question about whether use is unlawful or fraudulent 
or illegal is subject to legitimate dispute, and it really merits some 
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judicial consideration before you allow a software vendor to unilat- 
erally employ such a drastic remedy as remote disablement. 

This is a major concern to our members and we have in our long 
statement given examples of cases where you have seen software 
purveyors unilaterally decide that they didn’t get an adequate li- 
cense payment and then just go in and shut down someone’s com- 
puter, causing some very significant negative consequences for the 
computer user. 

But it’s also important to realize that a lot of these disputes 
never make it to the courthouse steps because the balance of harm 
that’s caused by someone unilaterally shutting down your computer 
is so far against the computer user that the mere threat that that 
can be used will cause the user to essentially cave in to the de- 
mands of a vendor. 

We are particularly concerned about what happens when some- 
one remotely accesses a computer and attempts to disable it be- 
cause that act alone can cause damage to other files owned by the 
computer user and the simple fact is that the existence of that code 
that allows remote access and disablement can present a vulner- 
ability that will allow security breaches by hackers, by saboteurs, 
by industrial and foreign government spies, and by terrorists. 

This is a major issue for our group, for both the smaller users 
and the large users. We have a suggestion for an amendment to 
subsection 6(a)(10) that would essentially limit that to the detec- 
tion or prevention of fraudulent or other illegal activities as prohib- 
ited by the Act, which we think is the appropriate limitation there. 

Thank you. I’d be glad to respond to any questions. 

[The prepared statement of Mr. Butler follows:] 

Prepared Statement of Arthur A. Butler, Attorney, Ater Wynne LLP, on 
Behalf of Americans for Fair Electronic Commerce Transactions (AFFECT) 

Good afternoon. My name is Art Butler. I am an attorney with Ater Wynne LLP 
in Seattle, Washington. I am very pleased to appear before you today on behalf of 
AFFECT (Americans for Fair Electronic Commerce Transactions) at this important 
hearing on the impact and policy implications of spyware on consumers and busi- 
nesses. AFFECT is a national coalition of consumer representatives, retail and man- 
ufacturing businesses, insurance institutions, financial institutions, technology pro- 
fessionals, librarians, and public interest organizations committed to promoting the 
growth of fair and competitive commerce in software and other digital products. 

We commend you, Chairman Pryor, and all the sponsors of the Counter Spy Act 
(S. 1625), for introducing this important bill because, like you, our members are 
very worried about the privacy and security risks associated with spyware. AFFECT 
strongly supports S. 1625. However, we are very concerned with the exception provi- 
sion and believe it is overly broad. In our view, it could in fact be construed to pro- 
tect wrongful acts that can result in great harm to computer users. We believe this 
section is in direct opposition to the laudable purpose of the bill and hope very much 
that you will consider the amendment which we propose today. 

AFFECT’S Concerns with Spyware 

AFFECT has been active in representing the interests of software consumers in 
the debates about the appropriate language to be included in anti-spyware legisla- 
tion in several states and has advocated strenuously that these legislatures not 
adopt exception language so broad that it swamps the prohibitions that are designed 
to protect computer users. Since AFFECT began actively educating legislators in the 
states of the potential for damage, creation of security vulnerabilities, and for inva- 
sion of privacy and unauthorized search and seizure in relation to consumers’ com- 
puters due to the exception language in question — the language has failed to pass 
in even one state legislature. 

The sad fact is that every computer in the United States is under attack from 
numerous sources trying to surreptitiously install or prevent removal of spyware 
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that will allow the spy to intercept or take partial control over the user’s interaction 
with the computer, without the user’s informed consent. 

While the term “spyware” suggests software that secretly monitors the user’s be- 
havior, the functions of spyware extend well beyond simple monitoring. Spyware can 
collect various types of personal information, interfere with the user’s control of the 
computer, change computer settings, result in slow connection speeds, loss of Inter- 
net or other programs, disable software firewalls and anti-virus software, and/or re- 
duce browser security settings, thus opening the system to further infections. It can 
enable identity theft and fraud. 

Often spyware will contain a “backdoor,” which is a method of bypassing normal 
authentication, securing remote access to a computer and obtaining access to 
plaintext, while attempting to remain undetected. Someone who has gained access 
to your computer can install many types of devices to compromise security, includ- 
ing operating system modifications, software worms, key loggers, and covert listen- 
ing devices. Some backdoors, such as the Sony/BMG rootkit 1 distributed silently on 
millions of music CDs through late 2005, are intended as digital rights management 
(DRM) measures and, in that case, as data gathering agents, since both surrep- 
titious programs they installed routinely contacted central servers. The copy preven- 
tion software Sony/BMG included on its CDs was automatically installed on Win- 
dows desktop computers when customers tried to play the CDs. The software inter- 
feres with the normal way in which the Microsoft Windows operating system plays 
CDs, opening security holes that allow viruses to break in, and causing other prob- 
lems. 2 

It is generally agreed that spyware represents a significant threat to the security 
of any computer owner’s data. Even for large enterprises spyware represents a seri- 
ous threat to the integrity of intellectual property, confidential data, and personally 
identifiable information of employees and customers. Accordingly, AFFECT supports 
legislative efforts, like S. 1625, that are designed to curb the use of harmful 
spyware. 3 

AFFECT’S Concerns with the Exception Provision of S. 1625 

AFFECT has concerns with the exception section of S. 1625, section 6, which is 
overly broad and could be construed to protect wrongful acts that can result in great 
harm to computer users in direct opposition to the purpose of the bill. 

We are particularly concerned about Subsection 6(a)( 10), which would permit a 
provider to monitor or interact with an individual’s computer, or Internet or other 
network connection or service for the “detection or prevention of the unauthorized 
use of software fraudulent or other illegal activities.” The reference to “unauthor- 
ized” is too vague and raises a number of questions. “Authorized” by whom? What 
is the process for authenticating the identity of the person using the software? And 
what are the standards for determining whether that person has the authority to 
perform a certain operation, and who decides? 

This language would allow a software vendor to surreptitiously download code 
onto a user’s computer and freely violate the user’s privacy by monitoring every- 
thing on his or her computer, as long as it did so under the guise of looking for 
unauthorized use, fraudulent, or illegal activities. It would allow the provider to set 
itself up as an ad hoc police force to conduct warrantless searches and to act as 
judge and jury to conduct unilateral seizures. Private entities do not and should not 
have the right to conduct law enforcement activities. 

More troubling is the fact that the language of Subsection 6(a)(10) would effec- 
tively allow a software provider to unilaterally decide to remotely shut down the 
user’s computer or Internet or other network connection or service. But whether the 
use of a particular software is “unauthorized,” “fraudulent,” or “illegal” is often sub- 
ject to legitimate dispute and merits some judicial consideration before a provider 
is allowed to unilaterally employ a drastic remedy like remote disablement. 

Permitting unilateral remote disablement is simply bad public policy. Unilateral 
remote disablement can cause great harm to any computer owner who depends on 


1 A “rootkit” is a program designed to take fundamental control of a computer system, without 
authorization by the system’s owners and legitimate managers. Typically, rootkits act to obscure 
their presence on the system through subversion or evasion of standard operating system secu- 
rity mechanisms. Often, they are also Trojans as well, fooling users into believing they are safe 
to run on their systems. 

2 As a result, a number of parties filed lawsuits against Sony/BMG; the company eventually 
recalled all the affected CDs. 

3 S. 1625 (Pryor), introduced in June 2007, would protect against the unauthorized installation 
of software that is used to take control of a computer in order to cause damage, collect personal 
information without consent, or otherwise enable identity theft. 
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access to and use of that computer, connection or service. For example, the shut- 
down of an owner’s system can cause great harm to: 

• a teacher using a computer to prepare for classroom lectures; 

• an insurer depending on a computer system to pay claims; 

• a manufacturer trying to deliver its products to meet contractual commitments; 
or 

• the public’s access to online library materials. 

That harm can be significantly larger than the harm to the software vendor (not 
getting a license fee). 

Even large enterprises are concerned about the threat of remote disablement. 
There have been a number of reported cases where software developers unilaterally 
determined that licensees didn’t make appropriate payments and simply shut down 
the computer programs. 4 The most widely reported was a case where a small soft- 
ware developer, Logisticon, Inc., installed malware within warehouse-management 
software delivered to cosmetic company, Revlon Inc. When the parties got into a dis- 
pute over whether the software had bugs and didn’t perform as promised, Revlon 
withheld payment. Logisticon then tapped into Revlon’s computers and disabled the 
program, which paralyzed Revlon’s shipping operations for 3 days. Losses to Revlon 
were about $20 million. Revlon sued, charging extortion. Logisticon claimed this was 
simply “electronic repossession.” The case was settled out of court. 

Clearly many disputes never make it to the courthouse steps because the balance 
of harm to be done via exercise of remote disablement is so overwhelmingly against 
the computer user that the mere threat of its use puts the user in an unfair posi- 
tion, and it must cave to the demands of the software vendor. The ability to unilat- 
erally disable a user’s computer or critical software running on it provides the soft- 
ware, network, or service provider undue leverage in a dispute even if the remedy 
is not exercised. Faced with a crippling and possibly even fatal disruption of its 
business, a user could be intimidated into relinquishing its rights and setting up 
precedents for its further disadvantage. This is because the risk to the provider that 
it will be held to have acted improperly is indefinite and its potential liability se- 
verely limited. Even if a provider wrongly exercises the remote disablement, it is 
unlikely the injured user will be able to recover money damages for the harm result- 
ing from this action, including losses to the user’s business attributable to the 
wrongful act, because providers routinely disclaim consequential damages in their 
licensee agreements; in fact, they routinely limit recoverable damages to the amount 
of the license fee. 


4 Other cases include the following: In 1998 in Franks & Sons, Inc. v. Information Solutions, 
Inc., the software developer installed a “drop-dead” code in the program. When the customer 
failed to pay as promised, the developer activated the drop-dead code, which prevented the cus- 
tomer from accessing the software as well as any stored information. The customer didn’t know 
about the drop-dead code, and the court found that it would be unconscionable to allow the soft- 
ware developer to hold the licensee ransom as it did. 

In 1991, in American Computer Trust Leasing v. Jack Farrell Implement Co., 763 F. Supp. 
1473 (D. Minn. 1991), the software developer, in a dispute over payment for the software, re- 
motely deactivated the software. The contract provided that the developer, who owned the soft- 
ware, could remotely access the licensee’s computer in order to service the software and that, 
if the licensee defaulted, the agreement was canceled. When the licensee didn’t pay, the devel- 
oper told the licensee that it was going to deactivate the program, which it promptly did. The 
licensee sued for damages, but the court ruled in favor of the developer on the grounds that 
the deactivation was “merely an exercise of [the developer’s] rights under the software license 
agreement . . .” 

There have been many other cases involving software developers either putting drop-dead 
code in their products or remotely disabling code when they thought the other party was in 
breach. For example, a Dallas medical device software developer was sued in 1989 for using a 
phone line to deactivate software that compiled patients’ lab results. The case was settled. In 
1990, during a dispute about the performance of a piece of code, the developer simply logged 
in and removed the code, until the licensee released the developer from any liability. The li- 
censee claimed that the general release was signed under duress, since he was being held eco- 
nomic hostage. Art Stone Theatrical Corp. v. Technical Programming & Support Systems, Inc., 
549 N.Y.S. 2d 789 (App. Div. 1990). 

In 1991, in Clayton X-Ray Co. v. Professional Systems Corp., 812 S.W.2d 565 (Mo. Ct. App. 
1991), a company involved in a payment dispute logged into the licensee’s computer and dis- 
abled the software. When the licensee tried to log on to see its files, all it saw was a copy of 
the unpaid bill. A jury awarded the licensee damages. 

In Werner, Zaroff, Slotnick, Stern & Askenazy v. Lewis, 588 N.Y.S. 2d 960 (Civ. Ct. 1992), 
a law firm contracted with a company to develop billing and insurance software. When the soft- 
ware reached a certain number bills, and when the developer decided it had not been paid suffi- 
ciently, it shut down the software disabling access to the law firm’s files. The law firm sued 
successfully. 
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Moreover, in reaching into an individual’s computer remotely to disable software 
residing on that computer, the software provider may not only violate privacy rights, 
but also damage the computer owner’s other files. And the monitoring and remote 
disablement of software on an owner’s computer by an outsider may compromise 
private information of employees, confidential and proprietary information of the 
owner, and, in some cases, national security information. As a result, it is possible 
that they could put an owner into breach of obligations it has under other laws ie.g.. 
Health Insurance Portability and Accountability Act). 

The simple fact is that the code used to remotely enter a computer and disable 
the software or the network connection makes the computer vulnerable to security 
breaches by hackers, saboteurs, industrial and foreign governmental spies, and ter- 
rorists. The consequences of a successful intentional or even accidental misuse of a 
computer system range from loss of confidentiality to loss of system integrity, which 
may lead to more serious concerns, like data theft or loss, or, in the case of a busi- 
ness, significant financial losses or worse. When there is an opportunity to nego- 
tiate, many enterprises, including governmental entities, will insist that their soft- 
ware license agreements contain a warranty prohibiting any “self-help code” or 
other software routing designed to disable a computer program automatically or 
that is under the positive control of a person other than the licensee of the software. 
Unfortunately, with mass market licenses individual consumers and businesses are 
not able to negotiate for a “no self-help code” warranty. 

Proposed Amendment 

S. 1625 is a commendable piece of legislation that addresses a real problem faced 
by computer users throughout this country. AFFECT supports it, but strongly rec- 
ommends that the exception provision of S. 1625 should only limit liability for inter- 
action with a network, service, or computer that is undertaken to detect or prevent 
fraudulent or other illegal activities as prohibited by the act itself. Therefore, AF- 
FECT proposes that Section 6(a)(10) of the bill be amended as follows: 

“(10) detection or prevention of the unauthoriz e d use of softwar e fraudulent or 
other illegal activities as prohibited by this Act.” 

Conclusion 

On behalf of AFFECT, thank you very much for the opportunity to appear before 
you today and for your consideration of our concerns. I would be happy to answer 
any questions you might have. 

Senator Nelson. Mr. Cerasale? 

STATEMENT OF JERRY CERASALE, SENIOR VICE PRESIDENT, 

GOVERNMENT AFFAIRS, DIRECT MARKETING ASSOCIATION, 

INC. 

Mr. Cerasale. Senator Nelson, Members of the Committee: 
Thank you for the opportunity to appear here today. I’m Jerry 
Cerasale, Senior Vice President for Government Affairs for the Di- 
rect Marketing Association, an association of 3,600 marketers who 
present offers and services to consumers directly. 

It is important in that kind of a business model that we have 
trust, that the consumer trust the marketer, but the consumer also 
has to trust the channel of marketing, and that’s what we’re here 
talking about today. In the past 3 years we have moved quite a 
ways in trying to prevent spyware, and I think we have to praise 
quite a few groups. One is Congress for constantly looking at this 
and putting pressure on us. 

The second are the software vendors, one of whom is sitting here 
on the table with me, for producing excellent products to go after 
and being able to remove objectionable software. 

Third, organizations, TRUSTe and even DMA, for setting up 
guidelines and establishing education. DMA has worked with, 
partnered with, the Federal Trade Commission and OnGuard On- 
line. 
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Finally but not least, law enforcement, looking at the Federal 
Trade Commission, the Department of Justice, and the State Attor- 
neys General, pursuing bad actors. 

DMA supports removal of objectionable software and the means 
to do that. Our guidelines that we produce that all our members 
have to follow — and it’s attached to my larger testimony — bans or 
prohibits putting on software that takes over someone’s computer. 
It requires for installing other software that there be notes, that 
there be an easy means to uninstall or disable the program, that 
there be contact information concerning the organization that put 
the software on the computer so that the consumer can contact 
them, and that there be an easy, identifiable link to the privacy 
policy of that organization. 

So we have taken these steps and will continue to look at it 
more, and we had to write these guidelines in looking at it being 
not technologically, not focused on one technology, but to try and 
be broader so that as we get changes tomorrow and the next day, 
that we do not have to go back and rewrite our guidelines. 

We have a few specific comments concerning S. 1625. As we look 
at Section 4(b)(2) of the bill, we think also that this can be read 
very broadly and can in fact be used to cover legitimate advertising 
practices, those same practices that have helped create Cyber Mon- 
day to be a larger shopping day than Black Friday or support the 
great amount of free content on the Internet. 

We think, our suggestion is, in the previous Congress Section 
4(b)(2) had an additional provision in it dealing with bad acts, and 
we think that that is a suggestion we have for Section 4(b)(2). 

As we look on, and I have to comment on Section 6(a)(10), one 
of the things to be careful about when looking at legislation or reg- 
ulation in anti-fraud arenas is that we have, many of our members 
have anti-fraud provisions and those are out there to protect users 
from identity theft, and they have been fairly successful and suc- 
cessful in stopping credit card fraud and so forth. So as you look 
at things looking at the exceptions in 6(a)(10) is to make sure that 
we don’t have unintended consequences there. 

Finally, 6(a)(8) and (9), giving limited liability. Our concern here 
is that it will remove accountability for software vendors. We think 
that this is very important, to have this accountability. Objection- 
able software is a subjective term and you can disagree on it. Many 
DMA members have written to and contacted software vendors 
whose software has removed their particular software on someone’s 
computer and they have been able to work it out, very, very rep- 
utable organizations. Sometimes there has not been a resolution, 
and where do you go if there’s not a resolution on this subjective 
term? 

Finally, there are some software vendors who don’t answer phone 
calls, who don’t respond to letters, and who don’t respond to e- 
mails. If you have this kind of argument on a subjective issue, 
where do you go? So we’re very concerned that you, Congress not 
eliminate accountability. 

Thank you very much. 

[The prepared statement of Mr. Cerasale follows:] 
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Prepared Statement of Jerry Cerasale, Senior Vice President, 
Government Affairs, Direct Marketing Association, Inc. 

I. Introduction and Summary 

Good morning, Mr. Chairman and Members of the Committee. I am Jerry 
Cerasale, Senior Vice President for Government Affairs of the Direct Marketing As- 
sociation, and I thank you for the opportunity to appear before the Committee as 
it examines S. 1625 and the spyware issue in general. 

The Direct Marketing Association, Inc. (“DMA”) (www.the-dma.org) is the leading 
global trade association of businesses and nonprofit organizations using and sup- 
porting multichannel direct marketing tools and techniques. DMA advocates indus- 
try standards for responsible marketing, promotes relevance as the key to reaching 
consumers with desirable offers, and provides cutting-edge research, education, and 
networking opportunities to improve results throughout the end-to-end direct mar- 
keting process. Founded in 1917, DMA today represents more than 3,600 companies 
from dozens of vertical industries in the U.S. and 50 other nations, including a ma- 
jority of the Fortune 100 companies, as well as nonprofit organizations. Included are 
catalogers, financial services, book and magazine publishers, retail stores, industrial 
manufacturers, Internet-based businesses, and a host of other segments, as well as 
the service industries that support them. 

DMA and our members appreciate the Committee’s outreach to the business com- 
munity on this important issue. I note at the outset that this is a complicated issue. 
In part due to congressional attention, over the past several years there have been 
significant developments that have fundamentally improved the consumer experi- 
ence as it relates to spyware. Where once, just three short years ago, invasive pop- 
up ads, drive-by downloads, and software that hijacked computers were on the rise, 
consumers in 2008 experience fewer such unwanted practices. Industry guidelines 
for legitimate software downloads, strong self-regulation, major technological im- 
provements, and Federal Trade Commission (“FTC”) and state Attorney General en- 
forcement have all contributed to the current, significantly improved environment 
where the prevalence of spyware has been vastly reduced. While DMA supports the 
Committee’s interest in combating spyware, given that the marketplace has evolved 
considerably since previous Congresses considered this issue, we believe that a stat- 
utory approach that would cover a broad range of software downloads and online 
marketing might not achieve the desired purpose of limiting spyware, but might 
have the unintended effect of interfering with important e-commerce and marketing 
functionalities. 

Internet growth over the past 10 years has been nothing short of remarkable, and 
this growth is fueled by the seamlessness of interactions of content, software, adver- 
tising, and other services. The dramatic rise of the Internet is evident in the dollar 
amounts consumers spend purchasing products through Internet sales. Last year, 
on Cyber Monday, the busiest Internet shopping day of the year, shoppers spent 
more than $733 million online. 1 This represents an increase of 21 percent from the 
same day the previous year and is more than the amount shoppers spent on Black 
Friday. 2 

Additional statistics demonstrate the staggering growth in e-commerce. The U.S. 
Census Bureau, which releases quarterly retail e-commerce statistics, recently re- 
ported that estimated retail e-commerce sales for the 1st quarter of 2008 were $33.8 
billion, an increase of 13.6 percent from the 1st quarter of 2007. The Census Bureau 
also noted that 1st quarter e-commerce sales accounted for 3.4 percent of total 
sales. 3 

As these and similar figures suggest, the Internet revolution has had a tremen- 
dous impact on economic growth. The Internet has become a preferred mechanism 
of commerce for many consumers, and a key part of multi-channel sales efforts for 
businesses. This phenomenon has changed the way products and services reach the 
market, and enables consumers to shop in an environment that knows no restric- 
tions on time or place. 


1 Cyber Monday is the first Monday following Thanksgiving. In 2007, Cyber Monday fell on 
November 26. The Friday after Thanksgiving Day is known as Black Friday and is traditionally 
the largest brick and mortar shopping day of the year. 

2 See http .7 / www.comscore.com /press / release. asp?press=1921. 

3 U.S. Census Bureau, Quarterly Retail E-commerce Sales, 1st Quarter 2008, May 15, 2008. 
See http:! I www.census.gov I mrts I www I data I pdf 1 08Ql.pdf 



19 


II. Strong Guidelines, Technology, and Enforcement Have Reduced the 
Need for Legislation 

The combination of strong industry guidelines, anti-spyware technologies, and en- 
forcement of existing laws over the past 3 years has limited pernicious software 
downloads, reducing spyware’s threat to the positive consumer experience online. 
Together, we are winning the battle against such malicious practices. That said, this 
battle will be ongoing. Today’s solutions and remedies may be obsolete tomorrow. 
As technology continues to evolve rapidly, so too will the challenges posed by 
spyware and related bad practices. 

A. Industry Guidelines 

DMA has long been a leader in establishing comprehensive self-regulatory guide- 
lines for its members on important issues related to privacy and e-commerce, among 
many others. DMA and its member companies have a major stake in the success 
of electronic commerce and Internet marketing and advertising, and are among 
those benefiting from its growth. Our members understand that their success on the 
Internet is dependent on consumers’ confidence in the online medium, and they sup- 
port efforts that enrich a user’s experience while fostering consumer trust in online 
channels. Understanding the importance of standards and best practices in building 
consumer confidence, DMA, working with its members, in 2006 developed and 
adopted standards for software downloads as part of our Guidelines for Ethical 
Business Practice (“Guidelines”), to specifically discourage illegitimate software 
download practices that threaten to undermine electronic commerce and Internet 
advertising. 4 In our experience, industry guidelines are the most effective way to ad- 
dress concerns that arise in the continuously changing technological landscape. Such 
guidelines are flexible and adaptable in a timely manner so as to cover bad practices 
and not unintentionally or unnecessarily cover legitimate actors. These software 
guidelines and an analysis of their requirements are attached. 

B. Current Law Enforcement Efforts 

Technology, self-regulation, and enforcement of existing laws are adequately ad- 
dressing the problems caused by spyware. In the past couple of years, law enforce- 
ment officials have been using existing enforcement tools to pursue sources of 
spyware. The FTC has aggressively pursued adware companies engaging in im- 
proper business practices. Since 2004, the Commission has brought more than 10 
such cases under its deceptive and unfair practices authority. 5 In addition, the De- 
partment of Justice (“DOJ”) is actively combating spyware under the Computer 
Fraud and Abuse Act and the Wiretap Act, also with more than 10 cases to date. 6 
The states have been an important part of the enforcement efforts in this area as 
well, with state attorneys general using their fraud and consumer protection laws 
to target distributors of spyware. 7 Strong enforcement of existing laws, combined 
with industry self-policing and innovative technologies, thus, have drastically slowed 
the spread of spyware and its effects. As these efforts indicate, continued dedication 
of resources to enforcement has proven an effective response to spyware. 

C. Marketplace Technology Has Adapted to Combat Spyware 

The technological tools available to consumers to prevent spyware also have seen 
significant improvement in their effectiveness. These tools are highly sophisticated, 
user friendly, and widely available, and in many instances are available at no cost 
to the consumer. For instance, today’s anti-spyware software is proactive in detect- 
ing malware before it can penetrate a consumer’s personal computer, thereby elimi- 
nating frustrations of spyware by preventing it from ever being downloaded. Con- 
sumers also have access to new web browsers with stronger security features and 
better warning features. In addition, as spyware became a problem, industry re- 


4 Use of Software or Other Similar Technology Installed on a Computer or Similar Device, 
DMA Guidelines for Ethical Business Practice, at 21 (attached) (available at http:/ Iwww.the- 
dma.org I guidelines I EthicsGuidelines.pdf). 

5 See, e.g., In the Matter of DirectRevenue LLC, FTC File No. 052—3131 (filed Feb. 16, 2007); 
In the Matter of Sony BMG Music Entertainment, FTC File No. 062—3019 (filed Jan. 30, 2007); 
FTC v. ERG Ventures, LLC, FTC File No. 062-3192 (filed Nov. 29, 2006); In the Matter of 
Zango, Inc. flkla 180solutions, Inc., FTC File No. 052-3130 (filed Nov. 3, 2006). 

«CFAA, 18 U.S.C. §1030; Wiretap Act, 18 U.S.C §2511. See, e.g., U.S. v. Jerome T. 
Heckenkamp, http:/ / www.usdoj.gov / criminal / cybercrime / heckenkampSent.htm; U.S. v. Chris- 
topher Maxwell, http: I / www.usdoj.gov / criminal / cybercrime / maxwellPlea.htm. 

7 For example, New York attorneys general over the past few years, as well as other attorneys 
general, have been actively pursuing cases against companies for deceptive practices in connec- 
tion with spyware and adware. See New York Attorney General settlement with online adver- 
tisers, http: II www.oag.state.ny.us / press / 2007 /jan ljan.29b 07.html; settlement with 

DirectRevenue, http:! / www.oag.state.ny.us / press / 2006 / apr / apr04ab 06.html. 
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sponded by installing anti-spyware software onto personal computers before ship- 
ping them to customers. This service provides personal computers with an early vac- 
cination against spyware. 

III. Specific Concerns about S. 1625 

I would like to take this opportunity to discuss specific comments regarding S. 
1625, which is pending before the Committee. We believe that the significant devel- 
opments described warrant reevaluation of certain provisions of this legislation by 
the Committee, which we hope that the sponsors of this bill and the members of 
the Committee will consider. 

DMA is concerned that Section 4(b)(2) of the bill could create compliance uncer- 
tainty, which could, in turn, limit current and future critical e-commerce functions 
designed to make the Internet browsing experience seamless. For this reason, DMA 
believes that Section 4(b)(2) should be tailored to specifically target “bad practices,” 
rather than create the regulation of many legitimate information practices resulting 
from software. The current language in Section 4(b)(2) could be interpreted to ex- 
tend well beyond regulating “surreptitious surveillance” practices. We recommend 
that any restriction on data collected and correlated with a user’s online history be 
narrowed, as this bill did the last time it was considered and approved by this Com- 
mittee by adding the language contained in the previous bill. Our suggestion would 
apply only if the computer software was installed in a manner designed to conceal 
from a computer user the fact that the software was being installed and would per- 
form an information collection function. This type of approach would make clear 
that the bill targets deceptive acts — which should be the objective of any such legis- 
lation — and does not restrain legitimate practices. 

DMA also is concerned about Sections 6(a)(8) and (9), the provisions that would 
bestow limited liability on a business that removes “objectionable content” or soft- 
ware used in violation of the Act. While on its face, the authority to remove “objec- 
tionable content” may appear reasonable, the term “objectionable” is not defined 
and, as a consequence, section 6(a)(8) would allow any anti-spyware entity to act 
unilaterally, and without review, to block any material that it defines as “objection- 
able.” Under this authority, for example, an anti-spyware tool would be free to iden- 
tify and remove anti-fraud software from a computer, with no liability for doing so, 
or for fraudulent activities that may then be perpetrated, or it could use the unfet- 
tered discretion provided for in this subsection to block a competitor’s access even 
if that competitor has the specific consent of the user. Moreover, it could do so with- 
out any notice whatsoever to the user. We are, therefore, concerned that this provi- 
sion would grant full immunity to a business that oversteps its power to remove le- 
gitimate content and causes harm to another business or the user. This type of 
broad immunity would have negative consequences for consumers by undermining 
their personalized Internet experience. For instance, what may be “objectionable 
content” to an anti-spyware entity may be a consumer’s valued tool bar or personal- 
ized cookie. 

For similar reasons, DMA has concerns about Section 6(a)(9), which would permit 
a business to remove software used in violation of sections 3, 4, or 5 the Act. In 
previous versions of this bill, this type of immunity has been referred to as a “Good 
Samaritan” provision. We are concerned that providing limited liability to providers 
acting under “Good Samaritan” protection may also have unintended consequences 
for consumers and businesses. DMA supports a provider’s ability to remove or dis- 
able a program employed to perpetrate a bad act. However, we are concerned that 
a provision as broad as Section 6(a)(9) would allow a provider to remove legitimate 
software without consequence. The current framework, under which existing laws 
are used to hold anti-spyware companies liable for removal of legitimate software, 
has served as an important check on overreaching by such providers and should be 
preserved. 

In addition, the policy goal underlying a “Good Samaritan” exemption is unclear. 
This type of protection would limit liability for violations for providers of anti- 
spyware software that remove spyware from a computer. The operative provisions 
of Sections 3, 4, and 5 impose liability for causing the installation of software on 
a machine, not removing software. Thus, it is unclear why a provision limiting li- 
ability for “removal” of software is even necessary. Given the fact that it would limit 
liability where none exists in the first instance, DMA suggests that this provision 
be deleted. 

Finally, DMA recommends that the exemption provided in the definition of “soft- 
ware” (Section 12(14)) be modified to include “cookies and any other software that 
performs a similar or identical function or functions.” By limiting the exemption 
solely to cookies, the bill is essentially regulating technology rather than conduct. 
As a result, the hill would foreclose the inclusion of new and innovative technologies 
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that perform a similar or identical function as a cookie. This type of limitation 
would stifle innovation. 

IV. Conclusion 

In summary, the combination of advances in industry self-regulation, enforce- 
ment, and technology, coupled with concerns about interfering with legitimate uses 
of software for marketing purposes, necessitates that certain sections of S. 1625 be 
revisited. If regulation is necessary, and we believe that it is unclear that a need 
for legislation remains in light of recent technological innovations, it should be 
drafted in manner that does not undermine current efforts or upset consumers’ ex- 
pectations regarding the types of available, legitimate online marketing. 

I thank you for your time and the opportunity to speak before your Committee. 
I look forward to your questions and to working with the Committee on this legisla- 
tion. 


Attachment 1 


Analysis of DMA Guidelines 

The Direct Marketing Association requires member organizations to adhere to its 
Guideline on Use of Software or Other Similar Technology Installed on a Computer 
or Similar Device, which encourages members to provide notice and choice regarding 
software that may be downloaded onto a consumer’s personal computer or similar 
devices (attached). This Guideline clearly states that marketers should not install, 
have installed, or use, software or other similar technology on a computer or similar 
device that initiates deceptive practices or interferes with a user’s expectation of the 
functionality of the computer and its programs. Such practices include software that 
takes control of a computer, modem hijacking, denial of service attacks, and endless 
loop pop-up advertisements. This Guideline also is clear that businesses should not 
deploy programs that deceptively modify or disable security or browser settings or 
prevent the user’s efforts to disable or uninstall the software. DMA’s Ethics Policy 
Committee evaluates compliance with its guidelines and regularly publishes sum- 
maries of outcomes of matters considered. Penalties can include removal from mem- 
bership, referral to the Federal Trade Commission, and public disclosure of concern. 

This Guideline also details responsible practices for marketers offering software 
or other similar technology that is installed on a computer used to further legiti- 
mate marketing purposes. Specifically, such programs must provide a user with 
clear and conspicuous notice and choice at the point of joining a service or before 
the software or other similar technology begins operating on the user’s computer, 
including notice of significant effects of having the software or other similar tech- 
nology installed. Marketers also must give the user an easy means to uninstall the 
technology and/or disable all functionality. Finally, marketers should always provide 
an easily accessible link to privacy policies and contact information, as well as clear 
identification of the company making the offer. 

Given the rapid evolution of technology, DMA believes that self-regulation is the 
most effective means for setting business standards for legitimate marketing. Guide- 
lines like those published by DMA and TRUSTe condemn deceptive practices, strive 
to protect consumers, and foster legitimate Internet advertising and marketing. 
Guidelines are flexible and adaptable to changes in markets, business practices, and 
advances in technology. 

Another issue that DMA has sought to address through self-regulatory best prac- 
tices is the role of advertisers in ensuring that their advertisements are being dis- 
seminated responsibly. In some instances, there may be advertisers with good inten- 
tions who do not understand where their ads are appearing online. To help address 
some of these issues, DMA adopted best practices regarding online advertising net- 
works and affiliate marketing. 8 These best practices state, among other things, that 
marketers should obtain assurances that their partners will comply with legal re- 
quirements and DMA’s Guidelines for Ethical Business Practice, undertake due dili- 
gence in entering into these partnerships, define parameters for ad placement, and 
develop a monitoring system for online advertising and affiliate networks. These 
should limit the appearance of advertisements related to spyware. 


8 See DMA Best Practices for Online Advertising Networks and Affiliate Marketing (attached) 
(available at http:! / www.the-dma.org / guidelines / onlineadvertisingandaffiliatenetworkBP.pdf). 
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Attachment 2 

Excerpt from the DMA Guidelines for Ethical Business Practice 

Use of Software or Other Similar Technology Installed on a Computer or 
Similar Device 

Article #40 

Marketers should not install, have installed, or use, software or other similar 
technology on a computer or similar device that initiates deceptive practices or 
interferes with a user’s expectation of the functionality of the computer and its pro- 
grams. Such practices include, but are not limited to, software or other similar tech- 
nology that: 

• Takes control of a computer (e.g., relaying spam and viruses, modem hijacking, 
denial of service attacks, or endless loop pop-up advertisements) 

• Deceptively modifies or deceptively disables security or browser settings or 

• Prevents the user’s efforts to disable or uninstall the software or other similar 
technology 

Anyone that offers software or other similar technology that is installed on a com- 
puter or similar device for marketing purposes should: 

• Give the computer user clear and conspicuous notice and choice at the point of 
joining a service or before the software or other similar technology begins oper- 
ating on the user’s computer, including notice of significant effects* of having 
the software or other similar technology installed 

• Give the user an easy means to uninstall the software or other similar tech- 
nology and/or disable all functionality 

• Give an easily accessible link to your privacy policy and 

• Give clear identification of the software or other similar technology’s name and 
company information, and the ability for the user to contact that company 

• Determination of whether there are significant effects includes, for example: 

° Whether pop-up advertisements appear that are unexpected by the consumer 
° Whether there are changes to the computer’s home page or tool bar 
° Whether there are any changes to settings in security software, such as a fire- 
wall, to permit the software to communicate with the marketer or the com- 
pany deploying the software, or 

° Whether there are any other operational results that would inhibit the user’s 
expected functionality 

Cookies or other passive means of data collection, including web beacons, are not 
governed by this Guideline. Article #37 provides guidance regarding cookies and 
other passive means of data collection. 

Attachment 3 


June 2006 

DMA’s Internet Marketing Advisory Board (IMAB) Best Practices for 
Online Advertising Networks and Affiliate Marketing 

Online marketers using advertising and affiliate networks should: 

1. Obtain assurances that the online advertising and affiliate network is in full 
compliance with state law, Federal law, and the DMA Guidelines for Ethical 
Business Practice. 

2. Perform due diligence on prospective network advertising partners and make 
sure you are working with reputable firms. Additionally (if possible), obtain a 
sample list of current advertising clients. Due diligence should also include ei- 
ther: (1) asking for a full disclosure of eligible sites, or (2) a review of processes 
to limit access to unwanted sites or channels. When partnering with an aggre- 
gate site online advertising and affiliate networks should provide the marketer 
with a sampling of sites that are in their network. Due diligence should encom- 
pass the entire process from the marketer to the end consumer. 

3. Always utilize a written contract/agreement. This will provide you the great- 
est possible control over your ad placement. This will also be the mechanism 
by which you devise and enforce formulas and/or guidelines for where and how 
online ads will be placed. 
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4. Include specific parameters that must be employed to determine placement 
of your online ads in written agreements. Altering of offer by an advertising or 
affiliate network is prohibited. If laws, guidelines or set standards are violated 
your contract with the violating advertising or affiliate network should be ter- 
minated. 

5. Develop a system to routinely monitor your ad placements as well as your 
contract with any online advertising or affiliate network. 

Senator Nelson. Mr. Rotenberg? 

STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, 
ELECTRONIC PRIVACY INFORMATION CENTER (EPIC) 

Mr. Rotenberg. Thank you very much, Senator, and thank you 
for the opportunity to testify today. The Electronic Privacy Infor- 
mation Center has a long-term interest in the ability of the Federal 
Trade Commission to police business practices that impact Amer- 
ican consumers. We have worked with the FTC now for almost a 
decade to try to ensure that the Section 5 authority is used to pro- 
tect consumers because if consumers do not have trust and con- 
fidence in the electronic marketplace clearly it’s not good for con- 
sumers or businesses. 

Of course, the concerns about spyware are very real and the costs 
are very real. For consumers it’s not only their privacy and per- 
sonal information, it’s also the risk that financial details of bank 
account information, checking account information will be disclosed 
to others. It’s the risk of identity thieves. It’s the risk frankly sim- 
ply of the hassle of having to monitor your personal computer to 
make sure that there’s no improper surveillance taking place on 
your private activity. 

So we see a real urgency in addressing the spyware issue and en- 
suring that the Federal Trade Commission has the authority, has 
the necessary tools to crack down on these activities. 

Now, since you’ve asked us to make some brief remarks and be- 
cause my full statement will be entered into the hearing record, I 
thought it might be helpful to place this bill a little bit in the con- 
text of where we’ve been and where I think we may be going. This 
bill addresses the specific problem of products, applications and 
techniques that are placed on the consumer’s computer that surrep- 
titiously take information from the user or exploit vulnerabilities 
on the computer’s system. 

Clearly these are bad practices. They should be prohibited. I 
think there are some changes that could be made in terms of scope 
and definition that might make the bill a little bit more effective. 
But I also think it’s important to understand that this is simply 
one category of spyware and that there are other types of activities 
which I think you need to be aware of. 

We have concerns, for example, about Internet service providers 
that now view the opportunity to intercept communications, the 
routine Internet traffic of their customers, for advertising purposes. 
From our perspective that’s a form of spyware and if it’s not ad- 
dressed in this legislation perhaps it could be addressed somewhere 
else. 

We’re concerned about similar techniques that might be deployed 
against mobile telephones. A lot of information, personal informa- 
tion, is available on phones. These phones are becoming more so- 
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phisticated. They’re essentially mobile computers and many of the 
same concerns about privacy protection and spyware exist there as 
well. Even the advertising techniques on social networking sites 
such as Facebook which make it possible for third party developers 
to get access to a lot of detailed personal information they don’t 
really need access to is another issue we hope the Committee will 
consider. 

Again, it may not be possible to get to all these issues with this 
legislation, and we do think this legislation is a step in the right 
direction. But I think it is important as the Committee thinks 
broadly about evolving business practices to be aware of these 
threats. 

Now, to speak specifically about some of the recommendations 
that we would make for S. 1625, which we do favor — it’s an impor- 
tant bill — we think it is clearly important to expand the FTC au- 
thority in this area so that when they do pursue these investiga- 
tions we think it’s important that the FTC authority not preempt 
State authority. We already have very important examples. In 
Washington State, for example, the State attorney general was able 
to go after a company that actually claimed it was offering a prod- 
uct to help people with spyware. The way it did it was to put up 
advertising on the user’s computer which said: Oh, we’ve detected 
spyware on your computer; you need to purchase our product. 

Well, the State attorney general was able to go after that com- 
pany and reached a million dollar settlement. We think those types 
of innovative investigations and prosecutions are very important. 

There is an issue with the exclusion for liability. A company 
under one provision in the bill would be given very broad authority 
to install spyware and we think that really needs to be reined in 
a bit and it is an exception. I don’t think it’s too difficult to deal 
with. 

Finally, the category of information that the bill protects, what 
we think of as personally identifiable information, of course is 
changing very rapidly. Ten years ago we might have said, well, it’s 
a person’s telephone number and maybe their Social Security num- 
ber. Now we need to think about their identity or user number on 
a Facebook or social networking service, because that’s also a 
unique identifier that makes it possible to identify someone. 

Even a person’s password information, the person’s Internet pro- 
tocol address that’s uniquely linked to a computer, is a type of per- 
sonally identifiable information. We think those changes could be 
made in the bill as well. 

But it is important legislation. It takes on part of the problem 
and I hope the Committee will be able to act favorably on it. 

[The prepared statement of Mr. Rotenberg follows:] 

Prepared Statement of Marc Rotenberg, Executive Director, 
Electronic Privacy Information Center (EPIC) 

Senator Pryor, Chairman Inouye, Senator Stevens and members of the Com- 
mittee, thank you for the opportunity to testify today on the topic of spyware and 
S. 1625, the Counter Spy Act. My name is Marc Rotenberg and I am Executive Di- 
rector of the Electronic Privacy Information Center. EPIC is a non-partisan research 
organization based in Washington, D.C. EPIC was founded in 1994 to focus public 
attention on emerging civil liberties issues and to protect privacy, the First Amend- 
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ment, and constitutional values. EPIC recently filed a complaint at the Federal 
Trade Commission on the specific problem of commercial spyware. 1 

Spyware, adware, and other information collection techniques are a growing 
threat to the privacy of Internet users. Computer users have noticed the effects. 
Ninety percent of users say they have adjusted their online behavior out of fear of 
falling victim to software intrusions. 2 The Webroot automated threat research tool 
has identified more than half a million different potential malware sites since Janu- 
ary 2005. 3 Spyware can cause significant degradation in system performance, result 
in loss of Internet access and impose substantial costs on consumers and busi- 
nesses. 4 Spyware can assert control over the operation of computers. 5 The privacy 
risks of spyware include the theft of private information, monitoring of communica- 
tions and tracking of an individual’s online activity. 6 

Importantly, privacy threats are growing not just in numbers, but also in type. 
Traditional spyware, adware and tracking cookies are now joined by other threats 
such as mobile device spyware, 7 “stalkerware,” and the potential for social net- 
working applications to function as spyware. Spyware comes from several sources 
including online attackers, organized crime, marketing organizations and trusted in- 
siders. 8 

A new motivation for the cyber criminal is that spyware has become a profitable 
business. 9 Individuals can also deploy spyware against each other. 10 Some ISP’s 
have also begun to install their own spyware-like services. 11 

These threats require vigorous policy response. Policy must be able to innovate 
to recognize new challenges while substantively protecting consumer privacy. 

Notice and Consent Schemes Do Not Adequately Protect User Information 

Ultimately, users must be able to control how and when information about them 
is used, disclosed and held. Solutions which rely on simple notice and consent will 
not adequately protect users. A recent survey of California consumers showed that 
they fundamentally misunderstand their online privacy rights. 12 In two separate 
surveys almost 60 percent of consumers incorrectly believed that the presence of 
“privacy policy” meant that their privacy was protected. 13 In a different survey, 55 
percent of participants incorrectly believed that the presence of a privacy policy 
meant that websites could not sell their address and purchase information. 

Users also routinely click through notices. The Pew Internet and American Life 
Project found that 73 percent of users do not always read agreements, privacy state- 
ments or other disclaimers before downloading or installing programs. 14 In such an 
environment, merely giving notice to users before the collection of sensitive informa- 
tion from their computers fails to adequately protect privacy in the way consumers 
expect. 

Consumer data should instead receive substantive protection. Information should 
be kept securely, and users should have the ability to know what data about them 
is being kept, who it has been shared with, and to withdraw consent for the holding 
of this data. Further, data should only be collected and kept for specified purposes. 

Important security information should also receive protection, even if it does not 
identify a user. The Counter Spy Act places conditions on software that collects in- 
formation such as the user’s Social Security number and driver’s license number. 
It also protects as “sensitive personal information” information such as financial ac- 
count numbers when combined with passwords or other security codes. 15 Password 
and access information to other accounts, such as e-mail or social networking, are 
not included. 

EPIC recommends that strict protection be afforded to security information, such 
as username/password pairs, encryption keys, biometric data, or other access control 
information. The mining of this information may not lead directly to identity theft 
and other financial harm, but facilitates its spread. Gaining access to a user’s non- 
financial accounts allows further information to be collected and further crimes per- 
petrated. Compromised accounts may have valuable information stored in them or 
be used to originate further malware attacks, including by impersonating the com- 
promised account. 

Privacy Requires Strong and Innovative Enforcement 

EPIC supports giving the FTC the ability to seek treble fines and penalize pattern 
or practice violations, as section 7 of the Counter Spy Act does. These changes will 
improve the FTC’s effectiveness in pursuing repeat offenders, and also change the 
economic incentives and disincentives for purveyors of spyware. 

Several states are using innovative policies to protect their citizens’ privacy. 
Spyware legislation has been passed in several states, including Alaska, 16 Ari- 
zona, 17 California, 18 Florida, 19 Georgia, 20 Illinois, 21 Indiana, 22 Iowa, 23 Louisiana, 24 
Nevada, 25 New Hampshire, 26 Rhode Island, 27 Texas, 28 Utah, 29 and Washington. 30 
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The Utah statute, for example, makes provision for a private cause of action which 
may be brought by a mark owner who does business in Utah and is directly and 
adversely affected by the violation. 31 In such a suit a mark owner may recover the 
greater of $500 per each ad displayed or actual damages. 32 

State Attorneys General have pursued spyware providers under state spyware 
laws. Washington State successfully applied the Washington State Computer 
Spyware Act 33 (Spyware Act) to stop Secure Computer’s use of their free computer 
scan that always detects spyware leading to instructions to buy their Spyware 
Cleaner product in a $1,000,000 settlement. 34 The State alleged violations under the 
state’s Spyware Act, Federal and state spam laws, and the state Consumer Protec- 
tion Act. 35 The Attorney General’s Office accused the company of “falsely claiming 
computers were infected with spyware” to entice the consumer to pay for their pro- 
gram that claimed to remove it. 36 The settlement required the company to inform 
consumers of their right to a refund and pay a $1,000,000 judgment. 

For these reasons EPIC recommends that the Counter Spy act not preempt state 
laws and state enforcement actions, as section 11(b) does. Federal law should set 
a baseline of privacy protection. It should not cap it. 

EPIC recommends that the limitation in section 6(a)(10) be removed. The Counter 
Spy Act’s liability limitations broadly permit monitoring of users’ computers and 
personal information for the “detection or prevention of the unauthorized use of soft- 
ware fraudulent or other illegal activities.” 37 These limitations should be scaled 
back. The determination of whether uses are unauthorized, fraudulent or illegal 
may be complicated. 

Privacy Threats Beyond Traditional Spyware Programs 

Information collection online is not performed solely with spyware programs exe- 
cuted on user’s computers. Third-party and opt-out cookies present growing threats. 
The proliferation of mobile devices means a potential new place for spyware to act. 
Internet service providers are begging to deploy their own adware and profiling 
services in ways which users will find difficult, if not impossible, to detect. Impor- 
tant user information is leaving the desktops and instead is residing on online social 
networking profiles. This information includes sensitive personal information such 
as contact information, one’s social and business relationships, political interests, 
sexual orientation, as well as the contents of communications. Further, online social 
networking sites are increasing their own information collection practices. 

A “cookie” is information about a particular user’s identity and browsing behavior 
that web servers store on his computer, typically without his consent. 38 Cookies per- 
mit a user to customize his interface with a particular website, for example by auto- 
matically entering his username and password. 39 However, since cookies can match 
an individual user to his interests and browsing habits, they are increasingly placed, 
gathered, and exploited by advertisers and others with a commercial interest in pre- 
cisely targeting ads and services. 40 Anyone with access to that user’s cookies can 
track his browsing history and gather information about his behavior and identity. 41 
As a result, Internet users who are concerned about privacy are widely encouraged 
to routinely purge the cookies they have accumulated or to refuse cookies from 
websites that require them. 42 

The recent Google/Doubleclick merger raises significant privacy issues because of 
the planned merger of the Google search engine database with Doubleclick’s exten- 
sive data collection accomplished with third-party cookies. 43 EPIC filed a complaint 
with the FTC urging the Commission to impose privacy protections upon the merg- 
er, concluding: 

Google’s proposed acquisition of Doubleclick will give one company access to 
more information about the Internet activities of consumers than any other 
company in the world. Moreover, Google will operate with virtually no legal ob- 
ligation to ensure the privacy, security, and accuracy of the personal data that 
it collects. At this time, there is simply no consumer privacy issue more press- 
ing for the Commission to consider than Google’s plan to combine the search 
histories and website visit records of Internet users. 44 

In November 2007 Facebook launched its Beacon service. 45 Beacon collects infor- 
mation from Facebook users when engaged in actions on other websites. Facebook 
then uses this information to broadcast advertisements to that user’s friends on 
Facebook, alerting them of the actions that the user took on these other websites. 
Initially, Facebook only provided a brief opportunity for an opt-out. Facebook later 
added an opt-in system, and the option to globally opt out of Beacon. Shortly after 
Beacon’s launch, security researchers showed that Facebook is receiving information 
even from those who are not logged in to Facebook and are not Facebook mem- 
bers. 46 
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Users of social networking sites are also exposed to the information collection 
practices of third party social networking applications. On Facebook, installing ap- 
plications grants this third party application provider access to nearly all of a user’s 
information. 47 Significantly, third party applications do not only access the informa- 
tion about a given user that has added the application. Applications by default get 
access to much of the information about that user’s friends and network members 
that the user can see. This level of access is often not necessary. Researchers at the 
University of Virginia found that 90 percent of applications are given more access 
privileges than they need. 48 

These features may be exploited and the information used for other purposes. In- 
vestigators at the BBC took 3 hours to write an application that collected informa- 
tion that had been marked as unable to be shared with friends. 49 Facebook, as part 
of its response, cautioned that users should “employ the same precautions while 
downloading software from Facebook applications that they use when downloading 
software on their desktop.” 50 

Mobile device spyware also presents a future privacy threat, with unique features 
due to the mobile environment. In December 2006, McAfee reported on a new kind 
of mobile phone spyware, called SymbOS/Mobispy.A. 51 SymbOS/Mobispy.A installed 
on phones and recorded incoming and outgoing SMS messages. 52 It also tracked the 
phone numbers of all dialed and received calls. Mobile tracking presents unique 
dangers because it allows the tracker to determine the user’s location. While the 
data may be able to follow users anonymously it may also easily identify them — 
they are likely at home in the evenings. Location information should receive signifi- 
cant protection from tracking applications. 

A new more insidious form of adware has been tested in the United Kingdom, and 
at least one U.S. company has announced it will also use the system. 53 British 
Telecom contracted with the former adware company Phorm to create secret profiles 
of its users. 54 Users’ traffic was routed via Phorm boxes, which replaced ads on the 
pages users were visiting with its own targeted ads. In the U.S., Charter commu- 
nications announced that it will monitor consumers’ browsing in order to serve them 
targeted ads. 55 Charter sent several of its users cryptic notices of an “enhancement” 
to their web browsing experiences. 56 The letter pointed users to a website with more 
details, including the claim that “[t]here is no application downloaded onto a user’s 
computer and, therefore, there is no “adware” or “spyware” on your computer from 
Charter in this enhanced service.” 57 Thus a system that is functionally equivalent 
to spyware, and more dangerous due to its undetectability, is touted as safer be- 
cause it does not reside on the victim’s computer. 

Finally, some companies market spyware directly for consumers to use for stalk- 
ing and other criminal activities. These technologies are promoted to consumers to 
spy on e-mail and instant message exchanges, record websites visited, and capture 
passwords and logins. EPIC has filed a complaint with the FTC against such “Stalk- 
er spyware,” highlighting the unfair and deceptive practices used to market this 
software. 58 These practices include the promotion of illegal surveillance targets, the 
promotion of “Trojan Horse” e-mail attacks, and the failure to warn purchasers of 
the legal consequences of illegal use. 

We hope the FTC will take action on this complaint and take action against these 
firms. 

Conclusion 

Privacy online continues to face many threats, both from criminal entities as well 
as intrusive commercial ventures. Substantive consumer protections and innovative 
enforcement strategies are necessary to protect consumers from the evolving threat 
of information collection online. These threats include not just traditional spyware, 
but also the merger of online consumer databases, new social networking features, 
mobile spyware and stalker spyware. 

EPIC recommends passage of Counter Spy Act in line with the changes pointed 
out above. The Counter Spy Act should not preempt state law or enforcement; it 
should protect important security information like username/login pairs; and the li- 
ability limitations should be narrowed. Congress should also be aware of other de- 
veloping threats to privacy beyond traditional spyware programs. 
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STATEMENT OF BENJAMIN G. EDELMAN, 

ASSISTANT PROFESSOR, BUSINESS ADMINISTRATION, 
HARVARD BUSINESS SCHOOL 

Dr. Edelman. Thank you, Senator Pryor, Senator Nelson, Mem- 
bers of the Committee. 

Senator Pryor, I want to structure my remarks around your ini- 
tial question about the proper definition of spyware and Senator 
Vitter’s response immediately thereafter, concerned about both the 
risk of being over-inclusive and the risk of being under-inclusive, 
either of which would be a serious problem in making the legisla- 
tion as effective as the Committee hopes. 

I spend perhaps too much of my time in my lab testing spyware, 
going to the sorts of sites where users get infected, infecting my 
computer over and over, measuring the effects on it, figuring out 
how it gets infected and what it would take to clean the infections 
off. Well, two examples that I’ve seen in the past months I think 
are instructive for identifying potential under-inclusiveness of this 
legislation and then in rethinking alternative approaches that 
might help the Committee be that much more effective. 

So here’s one that I saw just 2 weeks ago in fact. A pop-up ad 
promised that it could, quote, “stop spam.” Upon clicking on the 
pop-up, I received a long text, several hundred words, center- 
aligned. Part of the text was off screen. It was very hard to read, 
in short. 

But if you read it carefully, you would find that it says it will 
show special offers in pop-up windows. OK, so it’s saying it’s going 
to show pop-up ads, but it’s in a small font. The word “pop-up” is 
actually off-screen, so you’d have to scroll around to find it. 

If you press “yes” the software will track the websites that you 
visit and the search terms that you enter and then, sure enough, 
it will show you pop-up ads, quite a few of them. 

So what about that program vis a vis this legislation? Can you 
point to a clause of this legislation that that program violates? It’s 
awfully hard to do actually. The program tracks some of the 
websites you visit, but when you look in Section 4, it needs to track 
those websites in a very particular way in order to fall afoul of that 
clause of Section 4. The underlying deception of having the tricky 
disclosure that’s hard to read, you won’t find anything about that 
in this legislation. 

Here’s another one: a program that tracks a user’s name, street 
address, and all of the web searches that they do, then sends that 
to their server for a variety of purposes, market research, perhaps 
some kind of marketing. There too, it’s hard to point to the clause 
in this legislation that the program violates. When you read 
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through the specific data elements that are prohibited under Sec- 
tion 4, you don’t see the data that I listed that the program copies. 

I think members of this committee would be concerned to have 
that sort of software on their computers, and would want it re- 
moved if they found it there and certainly the public shares that 
view, but it seems that this legislation wouldn’t cover at least those 
two examples. 

So what do we make of that? Well, Senator Pryor, as you and 
Senator Vitter immediately recognized, practices change quickly, 
and at our peril do we make a list of all the specific practices that 
ought to be prohibited, because the next day there will be more 
practices that we didn’t think of, despite our best efforts. 

So coming back to Ms. Harrington’s remarks, I think she’s abso- 
lutely right to emphasize the effectiveness on a long-term basis of 
the FTC Act. By prohibiting acts that have a tendency to deceive, 
that tend to be unfair to consumers — that is the sort of language 
that can prevent these one-sided bargains, where they show you 
pop-up ads and you don’t get anything in return, or they track you 
in great detail without telling you. That is an approach that has 
lasted for decades and will serve us well going forward. 

So what could this legislation do that would be helpful? Well, 
one, it seems the FTC lacks the statutory authority to get quite as 
large penalties as they ought to be able to receive. Imagine the set- 
tlement discussions between the FTC and a so-called adware 
maker. The adware maker is sitting there realizing that all the 
FTC can get is disgorgement of ill-gotten gains, and the company 
managed not to make a profit last year. So what’s the 
disgorgement? The disgorgement is zero. How much of a penalty 
can the FTC really extract under those circumstances? 

Consider a statutory grant of greater authority, of bigger pen- 
alties, of liquidated damages perhaps or some amount certain as a 
floor. “Even if you didn’t manage to make money, well, we’re going 
to make certain you lost money if you went around causing the 
kind of harm that’s at issue.” That could be very helpful. So I think 
that’s an approach the Committee might want to consider, avoiding 
attempting to define spyware because we have enough of that 
under the FTC Act, but instead granting greater statutory protec- 
tions in the form of increased liability. 

My written remarks flag two other issues I hope the Committee 
will consider. For one, preemption of State law doesn’t seem to me 
a good idea, given that there’s more than enough work to go 
around to keep everyone busy and some innovative statutory ap- 
proaches. Second, the Committee should avoid legislation that 
doesn’t quite fill the field and makes it too easy for a vendor to 
claim to not be spyware. A vendor might claim: “We are federally 
certified good software; we passed Senator Pryor’s standard and 
therefore we must be good.” But in fact that vendor could still be 
pretty sneaky and could continue to cause users substantial harm. 

So I’d caution the Committee at setting low standards. We need 
to be tough on spyware for the protection of all the users counting 
on this committee and this legislation for protection going forward. 

Thank you for your interest in this matter. 

[The prepared statement of Dr. Edelman follows:] 
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Prepared Statement of Benjamin G. Edelman, Assistant Professor, 
Harvard Business School 

Chairman Inouye, Senator Pryor, Members of the Committee: 

My name is Benjamin Edelman. I am an Assistant Professor at the Harvard Busi- 
ness School, where my research focuses on the design of electronic marketplaces, in- 
cluding designing online marketplaces to assure safety, reliability, and efficiency. 
My full biography and publication list are at http: I / www.benedelman.org I bio and 
http:/ / www. benedelman.org / publications. 

Today the Committee considers the important problems of Internet spyware and 
deceptive adware — scourges that threaten the reliability, trustworthiness, and over- 
all utility of many users’ Internet’s access. 

My bottom line: 

Despite some recent progress, spyware and adware continue to present substan- 
tial harms to Internet users and to the Internet as a whole. 

Many improper practices are already prohibited under existing statutes including 
the FTC Act, state consumer protection statutes, and state anti-spyware legislation. 
These statutes have given rise to a series of cases, both public and private, that 
have somewhat reined in the problems of spyware and adware. 

Tough Federal legislation could assist in bringing spyware and adware purveyors 
to justice, and in further deterring creation and support of this noxious software. 

But the bill at hand addresses only a portion of the problem, while in some ways 
reducing the effectiveness of existing efforts. By prohibiting specific individual prac- 
tices, the bill invites perpetrators to comply with the letter of the law while con- 
tinuing to harm and deceive consumers. Moreover, perpetrators are likely to boast 
of compliance — despite offering software no reasonable user would want. These loop- 
holes are inevitable in the bill’s “laundry list” approach, which unavoidably omits 
deceptive schemes not yet invented. 

Pages five and six set out my detailed suggestions for revision. I favor a rewrite 
that emphasizes consumer protection fundamentals such as a consumer’s right to 
know what software runs on his PC, and to grant or deny consent to each program 
that asks to be installed. But the FTC has already established these principles 
through its existing anti-spyware litigation. Thanks to existing legislation plus the 
FTC’s work to date, this bill can accomplish its apparent purpose without adding 
new prohibitions. Instead, this bill can grant the FTC discretion to seek increased 
penalties under existing statutes — sparing this committee the challenging task of 
deciding exactly what practices to prohibit. 

The Consumer Victims of Spyware and Adware 

Discussion of spyware and adware typically seeks, in the first instance, to attempt 
to protect the users who receive such software. After all, a computer with spyware 
or adware is often virtually crippled — filled with so many popups that doing other 
work is impossible or impractical, and slowed so dramatically that it is unappealing 
to use the computer for ordinary purposes. Legislation and enforcement can help 
prevent such damage. 

Adware vendors often claim their software arrives on users’ computers only after 
users agree. As a threshold matter, my hands-on testing has repeatedly proven that 
adware can become installed without a user’s consent . 1 But even if a user did accept 
the software, adware popups can nonetheless present substantial concern. For ex- 
ample, some adware popups are sexually-explicit — sometimes appearing without any 
obvious way to close the resulting windows to remove the explicit images . 2 Other 
adware popups resort to deception to try to sell their wares — combining the inter- 
ruption of popups with the trickery of false advertising . 3 Moreover, adware popups 
appear separate from the programs that caused them — making it hard for users to 
understand where the ads came from, why they’re there, and how to make them 
stop. 

Users face a variety of costs in restoring a computer to good working order after 
an infection of spyware and/or adware. Some users hire technicians to make appro- 
priate repairs. Others buy anti-spyware software. Furthermore, during the period 


1 See e.g., "Who Profits from Security Holes?” http: l / www.benedelman.org /news/ 111804- 
l.html. See also “Nonconsensual 180 Installations Continue . . .” http:! / www.oenedelman.org / 
newsl022006-l.html. See also “Spyware Installation Methods.” http: // www.benedelman.org / 
spyware / installations / . 

2 “Spyware Showing Unrequested Sexually-Explicit Images.” http:/ lwww.benedelman.org I 
news [0G2206-l.html. 

s See e.g., “Zango Practices Violating Zango’s Recent Settlement with the FTC” (heading 
"Zango Ads for Bogus Sites that Attempt to Defraud Users”), http : / lwww.benedelman.org/ 
spyware I zango-violations / . 
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in which spyware or adware impair a computer’s operation, the user loses some or 
all access to the system he or she has paid for. These are real and troubling costs — 
out-of-pocket expense, lost time, and reduced productivity. 

These harms are not outweighed by any countervailing benefits. Rare is the user 
who receives anything of genuine value from spyware or adware. Some vendors 
claim their software is useful, e.g., letting a user “participate in a market research 
community” or “access premium content.” But these claims rarely survive scrutiny. 
For example, it is hard to see a benefit in being tracked for market research, when 
standard practice is to pay participants to allow their behavior to be tracked. More- 
over, when a vendor promises “premium content” in exchange for popups, it turns 
out the supposed premium material is often readily available elsewhere for free, 
and/or material the vendor lacks proper license to redistribute . 4 

The harms caused by spyware and adware fall within the general realm of anti- 
consumer practices addressed by decades of consumer protection law. For example, 
just as other industries resorted to fine print to hide the unsavory aspects of their 
products , 5 so too do adware vendors often turn to lengthy texts, scroll boxes, or eu- 
phemisms to “disclose” key effects of their software . 6 Similarly, just as door-to-door 
salesmen made misleading claims to get consumers to let them in — literally, to “get 
a foot in the door” 7 — so too do adware vendors invoke deceptive campaigns to try 
to attract interest in their products . 8 That the truth is (in some way) made known 
prior to purchase (or installation) is no defense: Once a vendor has resorted to de- 
ception, caselaw indicates that the deception cannot be cured through a (supposed) 
corrective disclosure. Legislation ought to consider these myriad deceptive prac- 
tices — including anticipating that practices will continue to change as tricksters find 
new ways to deceive unsuspecting users. 

The Deeper Problem: Imposing Negative Externalities on Others 

In my view, spyware and adware legislation should also consider the substantial 
negative externalities that such programs impose on others. 

For example, spyware and adware impose large costs on ISPs, computer makers, 
and software developers. In practice, users often turn to their ISPs and/or computer 
makers for assistance with problems caused by spyware and adware. Meanwhile, 
independent software makers must consider how their software interacts with 
spyware or adware unexpectedly on a user’s computer — adding additional com- 
plexity and unpredictability. 

Spyware and adware cause further harm to the Internet’s infrastructure and to 
Internet users generally — even users who are not themselves infected with spyware 
or adware. As much as half of spam now comes from “zombie” infections . 9 Even if 
you keep your computer clean, others may not — and their computers may be used 
to send you spam. 

Furthermore, spyware and adware often attempt to defraud online advertisers — 
typically by claiming to show ads that were never actually shown, or by showing 
ads that users never agreed to receive. My research has uncovered spyware and 
adware performing click fraud — automatically activating pay-per-click advertise- 
ment links where advertisers are only supposed to pay if a user specifically and in- 
tentionally clicks such links . 10 Spyware and adware even interfere with advertising 
strategies widely perceived to present a lower risk of fraud. For example, some ad- 
vertisers pay advertising commissions only upon a user’s purchase — protecting 
against click fraud . 11 But pay-per-purchase advertisers can nonetheless be tricked 
by spyware and adware. For example, spyware and adware popups sometimes claim 
commissions on purchases they actually did nothing to facilitate . 12 


4 See e.g., “Debunking Zango’s ‘Content Economy.’” http: II www.benedelman.org / news / 
052808- l.html. 

5 See e.g., Hdagen-Dazs Co., 119 F.T.C. 762 (1995) (challenging effectiveness of fine-print foot- 
note modifying “98 percent fat free” claim for frozen yogurt products that were not low in fat). 

6 See e.g., “Gator’s EULA Gone Bad.” http:/ / www.benedelman.org / news 1 1 12904- l.html. 

7 See e.g., Encyclopedia Britannica, 87 F.T.C. 421 (1976), affd, 605 P.2d 964 (7th Cir. 1979), 
cert, denied, 445 U.S. 934 (1980) (rejecting “deceptive door opener” sales pitches). 

8 See e.g., “Zango Practices Violating Zango’s Recent Settlement with the FTC” (heading 
“Widespread Zango Banner-Based Installations without Unavoidable, Prominent Disclosure of 
Material Terms (XP SP2)”) (supra). 

9 Xie et al., “How Dynamic Are IP Addresses?” http : / fresearch.microsoft.com /projects Isgpsl 
sigcomm2007.pdf. 

10 “The Spyware — Click-Fraud Connection.” http:l / www.benedelman.org / news / 040406-1. html. 

11 These pay-per-purchase advertising systems are also known as cost-per-acquisition or 
“CPA.” 

18 See e.g., “Spyware Still Cheating Merchants . . .” http : / lwww.benedelman.org/news/ 
052107-1. html. 
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In short, spyware and adware make the Internet a place where ISPs and com- 
puter makers incur unexpected costs they must ultimately pass back to customers; 
where even those who keep their computers safe nonetheless suffer from the infec- 
tions that plague others; where advertisers cannot feel confident in the leads they 
pay to receive. The resulting costs make the Internet a weaker platform on which 
to do business, to all our detriment. 

How to Stop the Problems of Spyware and Adware 

Unlike the viruses of prior decades, spyware and adware tend to be created by 
business enterprises — groups that design this unwanted software, foist it onto users’ 
computers, and reap the rewards. The appropriate response: Find the perpetrators 
and hold them accountable. 

The past 4 years have brought considerable progress in identifying spyware and 
adware purveyors, and holding them accountable for what they have done. The New 
York Attorney General’s office brought the first major case against a spyware ven- 
dor, Intermix, whose KeenValue, IncrediFind, and other programs were widely in- 
stalled on users’ computers without any consent at all, and also without meaningful, 
informed consent. Subsequent litigation has pursued a variety of other vendors, 
with cases brought by the FTC, the City of Los Angeles, and Attorneys General in 
New York, South Carolina, Texas, and Washington. Several class actions have also 
challenged nonconsensual and deceptive installations. 13 

The prospect of similar litigation has pushed some spyware and adware vendors 
to substantially cease operations. For example, in the face of litigation against sev- 
eral of its competitors, Manhattan-based eXact Advertising shut its “adware” busi- 
ness, thereby ceasing the nonconsensual installation of its software that had pre- 
viously been so prevalent. 

Yet litigation has not stopped the deceptive practices of all vendors. Consider the 
actions of Bellevue, Washington-based Zango, Inc. During an FTC investigation of 
its practices, Zango stopped its partners from placing its software on users’ com- 
puters without first obtaining user consent. But despite its settlement with the FTC, 
Zango continues installations that are predicated on deception. For example, Zango 
continues to solicit installations via fake-user interface banner advertisements 
which deceptively masquerade as bona fide messages from software already on a 
user’s computer. 14 Moreover, despite a settlement requirement that every Zango ad- 
vertisement be “clearly and prominently” identified with the name of the program 
that delivered that ad, some Zango advertising toolbars still lack the required 
label. 15 

More generally, experience and economic intuition confirm the need for tough liti- 
gation to adequately deter sophisticated corporate wrongdoers. At present, FTC ac- 
tions typically seek disgorgement of ill-gotten gains. But effective deterrence re- 
quires a penalty that exceeds disgorgement, since investigation and litigation are 
less than certain. (Otherwise, a rational perpetrator would proceed in expectation 
of sometimes getting to keep the proceeds.) Experience shows inadequate deterrence 
to be a real problem. Consider the FTC’s $1.5 million settlement with 
DirectRevenue — letting the company’s principals retain $20 million of ill-gotten 
gains. As FTC Commissioner Leibowitz pointed out in his dissent to that settlement, 
spyware purveyors ought not reap windfalls from their deceit. To that end, I support 
the bill’s granting of a fine of three times the amount otherwise available. (Sec. 
7(b)(1).) 

Increasingly, purveyors of spyware and adware are not major U.S. companies that 
investigators can easily locate. Instead, surviving vendors tend to reside abroad, or 
at least tend to attempt to hide their true location. Despite their far-flung location, 
these vendors sometimes cause even more harm than American counterparts — 
seemingly taking greater liberties with users’ computers on the view that they are 
beyond prosecutorial reach. Legislation ought to seek to disrupt these businesses 
and limit the harm they cause. In my view, the most promising approach comes 
through financial investigations: Although they’re off-shore, these vendors still want 
to make money, and their primary revenue sources remain U.S. advertisers and ad 
networks. The New York Attorney General has already pursued selected advertisers 


13 See e.g., Sotelo v. DirectRevenue LLC, No. 05 C 2562 (N.D. 111. Aug. 29, 2005). 

14 See e.g., “Zango Practices Violating . . .” (heading “Widespread Zango Banner-Based Instal- 
lations without Unavoidable, Prominent Disclosure of Material Terms (XP SP2)”) {supra). More 
recent ( May 2008) proof on file. 

15 See e.g., "Zango Practices Violating Zango’s Recent Settlement with the FTC” (heading 
“Unlabeled Ads — Toolbars, Desktop Icons, and Pop-Ups”), http://www.benedelman.org/ 
spyware I zango-violations I . May 2008 proof on file. 
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that intentionally purchased large amounts of “adware” advertising. 16 It would be 
little stretch to pursue advertisers and ad networks that intentionally fund remain- 
ing spyware vendors. 

Specific Concerns in the Legislation at Hand 

Let me now turn to S. 1625, my specific suggestions, and some areas of concern. 

S. 1625 Risks Setting Low Standards that Do Little to Protect Against 
Remaining “Adware” 

S. 1625 rightly prohibits a range of outrageous and extreme behaviors. For exam- 
ple, it would be hard to defend the “endless loop popups” prohibited by Sec. 3(1)(D). 

But it is possible to skirt the bill’s prohibitions while causing consumers substan- 
tial harm and continuing the same practices traditionally associated with spyware 
and adware. Rather than showing so many popups that a user “cannot close the ad- 
vertisements without turning off the computer” (Sec. 3(1)(D)), a program might 
show one popup per minute — still a substantial intrusion, yet nowhere proscribed 
by S. 1625 as it stands. Similarly, rather than tracking the specific information pro- 
hibited under Sec. 4(a), a program might monitor “only” a user’s name, street ad- 
dress, phone number, and all web searches conducted. Although remarkably intru- 
sive, such tracking is seemingly permitted under Sec. 4. Thus, S. 1625’s approach 
creates a serious risk that spyware and adware vendors can continue business sub- 
stantially as usual. 

Moreover, spyware and adware vendors are likely to attempt to use any Federal 
legislation as a “shield” to deflect criticism of their practices. Indeed, Zango already 
invokes its settlement with the FTC as a supposed indicator of endorsement. Last 
year, Zango staff wrote to security vendors to say Zango has received “certification 
with the FTC.” 17 More recently, Zango claimed that security vendors ought not 
block or remove Zango software because if Zango’s software were harmful, “the FTC 
would not have entered into a consent agreement permitting Zango to market that 
software.” 18 Far from setting a minimum standard that vendors will aspire to ex- 
ceed, this bill thus risks creating a new supposed “certification” (or other low stand- 
ard) that vendors may invoke as a defense against allegations of impropriety. As 
a result, weak legislation could actually make the spyware and adware problem 
worse. 

Prohibiting the full spectrum of deceptive adware would require substantial re- 
working of S. 1625. Rather than prohibiting a lengthy list of specific bad acts, a re- 
write would probably begin with basic consumer protection fundamentals, e.g., that 
software must only be installed on a user’s computer after clear and prominent dis- 
closure as well as meaningful consent. 

If S. 1625 is to retain its present approach, a partially-responsive revision would 
add a preface or other comment to explicitly confirm the Committee’s intention — 
that compliance with S. 1625, in and of itself, does not assure that software is eth- 
ical, effective, desirable, or even useful. I realize that such an addition may seem 
vacuous — for of course the bill does not aspire to define what software is desirable 
or useful. But as the bill stands, adware vendors are virtually certain to attempt 
to invoke S. 1625 defensively — claiming that their software must be desirable since 
it meets the bill’s requirements. An appropriate preface could prevent that unwel- 
come strategy. 

S. 1625 Should Protect Security Vendors Assisting Users 

Security vendors face a barrage of complaints and, in some instances, litigation 
claiming that security firms err in removing harmful or deceptive software from 
users’ computers. See e.g. Zango, Inc. v. Kaspersky Lab, Inc. and New.net v. 
Lavasoft. Federal anti-spyware legislation offers a natural context in which to grant 
Good Samaritan protection to computer security software — immunizing the efforts 
of bona fide security vendors, in the ordinary course of business, to identify, block, 
and/or remove software users reasonably view as objectionable. S. 1625 could and 
should include such an immunization. 

S. 1625 Should Not Preempt Tougher State Laws 

As it stands, S. 1625 preempts tougher state laws. Given S. 1625’s limited prohibi- 
tions — a list of some specific bad acts, rather than a comprehensive framework for 
effective notice and consent — such preemption seems unwarranted. 


16 Assurances of Discontinuance — Cingular, Priceline, Travelocity. http : // www.oag.state.ny.us 
/ press 12007 / jan / adware-scannedAODs.pdf 

17 Forwarded e-mail on file in my possession. 

18 Reply Brief of Appellant. Zango, v. Kaspersky Lab. U.S. Court of Appeals for the Ninth Cir- 
cuit. No. 07-35800. 
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In particular, S. 1625 leaves ample room for states to do more to protect their 
consumers. For example, states could identify additional specific bad acts that ought 
not be permitted. Alternatively, states could identify alternative methods of enforce- 
ment — perhaps private litigation by those who are harmed (be they consumers, 
websites, computer makers, advertisers, ad networks, or otherwise). With so much 
room for innovation to further address these important problems, I see no proper 
basis for preemption of state legislation. 

A Simplified Bill Could Increase Penalties while Avoiding Other Questions 

A simplification of S. 1625 would strike all language except authorization of in- 
creased penalties. The treble fine in Sec. 7(b) would apply to all FTC actions under 
existing legislation, pertaining to software installed on a user’s computer that tracks 
user characteristics or activities, or that shows advertising. This dramatic sim- 
plification would relieve the Committee from the challenging questions of what spe- 
cific behaviors to prohibit, and would side-step all the concerns identified in my tes- 
timony. Yet this revision would offer major benefits — letting the FTC better sanction 
and deter perpetrators. I urge the Committee to consider this approach. 

Senator Pryor. Thank you. 

Mr. Weafer? 

STATEMENT OF VINCENT WEAFER, VICE PRESIDENT, 
SECURITY RESPONSE, SYMANTEC CORPORATION, ON BEHALF 
OF THE BUSINESS SOFTWARE ALLIANCE (BSA) 

Mr. Weafer. Mr. Chairman, Members of the Committee: Thank 
you very much for the opportunity to testify. 

Let me start with a question that was raised earlier, which is 
how large is the problem. If we look at spyware and malicious code 
in general, there is about 1.8 million pieces of unique code. Now, 
that’s a large number, but if you remember that about 800,000 of 
those malicious codes came in all of last year, so if you look at all 
the previous years last year represented the vast majority of those 
pieces of spyware and malicious code. In the first 6 months of this 
year, we’ve already surpassed what we saw last year, in 2007. 

Looking another way, we did a survey of people’s machines 
where we looked and we found about 57,000 unique pieces of files 
on their machine — Office, Windows, operating system files. 65 per- 
cent of those files were deemed to be potentially malicious or 
spyware on their machines. 

The Organization for Economic Cooperation and Development 
has estimated that something like 95 million U.S. people are sit- 
ting with spyware on their machines. It’s a large problem and it’s 
still growing. Now, this includes not just the grey actors, but also 
the black actors, the criminalization that’s occurring very much at 
the moment as well. 

In terms of S. 1625, one of the areas we definitely want to focus 
on is on the focus of behavior, not technologies. So we certainly 
want to prohibit bad conduct rather than pick certain technologies 
and say this act is good or this is bad, because that frequently 
forms a low bar for companies that try and target or simply raise 
themselves to that minimum level and say: We’re certified. 

Second, we do want to include our support for the legislation, the 
so-called Good Samaritan portion. So a Federal court recently ruled 
in the Kaspersky case that the Communications Decency Act gives 
such protection to providers of anti-spyware solutions. 

Now, we’re not seeking unlimited protection. In fact, we believe 
the legislative codification of Kaspersky could include language re- 
quiring good faith as well as a fair and effective dispute resolution 
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process. There should be a process, it should be fair, it should be 
open. That’s what we’re looking for as part of this provision. 

We also want to commend you for including in your bill a provi- 
sion for allowing perfectly legitimate activities, such as the detec- 
tion and prevention of unauthorized use of the software. This is es- 
sential to our industry, the software industry, because fraud or pi- 
racy also includes almost $50 billion in damage every year. So we 
believe this is also an important part. 

I’ll keep my remarks short and just thank you very much for 
your time. 

[The prepared statement of Mr. Weafer follows:] 

Prepared Statement of Vincent Weafer, Vice President, Security Response, 
Symantec Corporation on Behalf of the Business Software Alliance (BSA) 

Mr. Chairman, Mr. Ranking Member, Members of the Committee, good afternoon. 
Thank you very much for the opportunity to testify here today. My name is Vincent 
Weafer and I am Vice President of Security Response at Symantec Corporation. I 
will be testifying today on behalf of the Business Software Alliance (BSA). 

Symantec is one of the world’s leading software companies. We are headquartered 
in Cupertino, California, operate in 40 countries worldwide and have more than 
17,500 employees. Symantec’s mission is to help individuals and enterprises assure 
the security, availability, and integrity of their electronic information. As the global 
leader in information security, we protect more people from online threats than any- 
one in the world. Symantec offers our customers products that detect and remove 
spyware and harmful adware, and our Norton brand of products is the worldwide 
leader in consumer security and problem-solving solutions. 

The Business Software Alliance (www.bsa.org) 1 is the foremost organization dedi- 
cated to promoting a safe and legal digital world. BSA is the voice of the world’s 
commercial software industry and its hardware partners before governments and in 
the international marketplace. Its members represent one of the fastest growing in- 
dustries in the world. BSA programs foster technology innovation through education 
and policy initiatives that promote copyright protection, cyber security, trade and 
e-commerce. 

It is a pleasure to be here today to discuss the serious issue of cyber security: pro- 
tecting millions of computer users from those who maliciously install software on 
computers to compromise and steal sensitive, personal information. Such software 
goes by the name of “spyware.” Mr. Chairman, I commend you and your colleagues, 
Senator Boxer and Senator Nelson for your leadership in addressing this invasive 
and deceptive practice through the Counter Spy Act (S. 1625). 

Today, I would like to make three points: 

First, spyware and harmful adware represent a critical threat to security and 
privacy on the Internet. It is a threat that must be met and defeated. 

Second, legislation can and should play an important role. We urge the Com- 
mittee to consider language which focuses on the malicious intent behind this 
reprehensible behavior, not “bad” technological tools like computers, software 
and the Internet. We want to work with you to ensure that anti-spyware legis- 
lation moving through Congress targets reprehensible behavior and avoids the 
trap of defining “good” or “bad” technology. 

Third, we believe that legislation should contain specific provisions to ensure 
that developers of anti-spyware tools can protect their customers without fear 
of threats and legal harassment. 

And fourth, we commend you for including in your bill a provision clarifying 
that security and anti-piracy activities are not in fact spyware. 

What Threat Are We Facing? 

Mr. Chairman, we commend you for your leadership in addressing the real threat 
and grave threat of spyware and harmful adware. 


1 BSA members include Adobe, Apple, Autodesk, Avid, Bentley Systems, Borland, CA, Cadence 
Design Systems, Cisco Systems, CNC Software/Mastercam, Corel, Dell, EMC, HP, IBM, Intel, 
McAfee, Microsoft, Monotype Imaging, PTC, Quark, Quest Software, SAP, Siemens PLM Soft- 
ware, SolidWorks, Sybase, Symantec, Synopsys, and The MathWorks. 
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Spyware and harmful adware are stand-alone programs that can monitor system 
activity and either relay the information back to another computer or hold it for 
subsequent retrieval. 

Spyware programs are placed on a user’s system — often times without the knowl- 
edge of the user — in order to steal confidential information, such as usernames, 
passwords and credit card details. This can be done through keystroke logging, or 
capturing e-mail and instant messaging traffic. Spyware is of particular concern be- 
cause of its potential for use in identity theft and fraud. 

A growing type of spyware is rogue anti-spyware/anti-virus applications. They de- 
ceive users by displaying scary warnings about the computer being infected with a 
large number of fake threats, and then ask the user to buy the software to fix the 
problems. Another recent trend is programs that attempt to use the license agree- 
ment to prevent the end-user from sending any portion of the spyware program to 
anti-spyware companies. 

Harmful adware programs capture information about the computer usage and 
Internet browsing habits of the user (such as websites visited and e-commerce pur- 
chases made). They generate a deluge of disruptive ads, usually in the form of pop- 
up windows, on the computer’s screen. This represents a potential violation of pri- 
vacy, and degrades user experience and computer performance by bogging down a 
computer’s normal functions. 

How prevalent is the problem of spyware and harmful adware? 

Symantec publishes twice a year the Internet Security Threat Report (ISTR), a 
comprehensive compilation of Internet threat data, which gives us a unique perspec- 
tive on the prevalence of spyware. The ISTR includes analysis of network-based at- 
tacks, a review of known vulnerabilities, and highlights of malicious code and addi- 
tional security risks. We compile our data from more than 24,000 sensors moni- 
toring network activity in over 180 countries, as well as information compiled from 
over 120 million client, server and gateway systems that have deployed our 
antivirus products, and through the 25 million e-mail messages we filter for our cus- 
tomers everyday. 

According to our most recent Internet Security Threat Report, spyware continues 
to be a serious security risk for consumers. The latest Internet Security Threat Re- 
port released by Symantec in April 2008 reveals that Attackers have adopted stealth 
tactics that prey on end-users on individual computers via the World Wide Web, 
rather than attempting high-volume broadcast attacks to penetrate networks. This 
may be because enterprise network attacks are now more likely to be discovered and 
shut down, whereas specifically targeted malicious activity on end-user computers 
and/or websites is less likely to be detected. Site-specific vulnerabilities are perhaps 
the most telling indication of this trend. During the last 6 months of 2007, there 
were 11,253 site-specific cross-site scripting vulnerabilities = Cyber criminals con- 
tinue to refine their attack methods in an attempt to remain undetected and to cre- 
ate global, cooperative networks to support the ongoing growth of criminal activity. 

Adware and spyware continue to propagate, according to the ISTR. At the begin- 
ning of June 2008, there are over 1.8 million known malware and security risks 
with the majority of these being discovered in the past 18 months. In the last 6 
months of 2007, threats to confidential information made up 68 percent of the vol- 
ume of the top malicious code samples. Malicious code can expose confidential infor- 
mation in a variety of ways, including exporting user and system data, exporting 
e-mail addresses, recording keystrokes and allowing remote malicious access to a 
computer. At the same time, today’s attacks are more surreptitious than ever before, 
less likely to be detected rapidly, and more likely to have a direct impact on a user’s 
finances. 

As an illustration of the scale of the problem, a recent report by the Organization 
for Economic Cooperation and Development (OECD), estimates that 59 million users 
in the U.S. have spyware or other types of malware on their computers. 

In summary, spyware and harmful adware are, quite simply, a critical threat to 
our online security and privacy. It is wrong and it must be stopped. 

Ban Bad Behavior, not Technology 

Fortunately, the marketplace is responding to the need to address this challenge. 

Cyber security companies are investing heavily in newer generations of classifica- 
tion, behavioral detection and white listing technologies to handle the increasing 
volume and variety of spyware and malicious code threats. For example, Symantec 
creates security programs that watch out for known malicious threats, as well as 
unknown software that exhibits suspicious characteristics. Symantec products clas- 
sify and categorize programs according to functionality. This allows a user to select 
an acceptable risk level and detect only programs that fall outside the user’s own 
acceptable limits We continually add new definitions and new defenses to address 
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the ever evolving dangers in the Internet threat landscape such as worms, spyware, 
spam, and phishing. 

In addition, critical technologies such as web browsers are being revamped with 
more security, as they increasingly become a focus for attacks. Web browser security 
is particularly important because browsers come in contact with more untrusted or 
potentially hostile content than most other applications. 

We believe however that, in addition to the response of the marketplace, legisla- 
tion can and should play a role. Spyware is a serious online threat to the public 
interest. As you have recognized, Mr. Chairman, this threat requires Congress to 
empower Federal agencies to enforce prohibitions that will help curb the scourge of 
spyware and harmful adware. 

We want to work with you to ensure that legislation moving through Congress 
targets reprehensible behavior, rather than attempts to define “good” or “bad” tech- 
nology. 

We believe that legislation should not prohibit specific technologies. Computers, 
software and the Internet are tools that are used in thousands of ways to enhance 
how we work, study, communicate and live. These tools are an indispensable part 
of our daily lives. The fact that a number of bad actors have figured out how to use 
these tools for illegitimate purposes does not mean the tools themselves are the 
cause of the harm. 

If technology was to be constrained or regulated, we would lose much of the rich- 
ness and power that computing has brought to our modern lives. 

Let me put it a different way. We don’t ban crowbars because some people use 
them to break into houses. We don’t ban cars because some people use them to flee 
from the scene of a crime. 

Prohibiting conduct, rather than technology, avoids the danger of dictating the de- 
sign and operation of computer software and hardware. Congress has wisely avoided 
imposing a number of technology mandates to maintain the U.S. technology indus- 
try as the envy of the world. It has been responsible for incredible improvements 
in productivity, millions of jobs, billions of dollars in exports, and immense benefits 
to every consumer. Government intervention that replaces marketplace solutions 
with governmental decisions endangers America’s technology leadership. It hurts 
users of technology products by stifling innovation, freezing in place particular tech- 
nologies, impairing product performance, and increasing consumer costs. 

Mr. Chairman, Symantec and other BSA member companies want to work with 
you and your staff to ensure that S. 1625 focuses even more clearly on harmful ac- 
tivities, rather than on the technology that is misused to perform these activities. 

Currently, S. 1625 includes a few provisions that risk affecting legitimate soft- 
ware and Internet functionalities, and thus compromise the operations of today’s 
computers — as well as the direction of future technology. Let me give you just a few 
examples: 

• Section 3(1)(A) prohibits the installation of software that transmits or relays 
commercial electronic mail. This would constrain the development and use of 
legitimate and innovative methods to generate and send electronic communica- 
tions; 

• Section 3(3)(B) regulates how software that is installed on a computer must be 
named and where it must be located, and how it can be uninstalled. Again, this 
would constrain how legitimate software is deployed and operates. 

We believe the problems inherent in such an approach can be avoided if Congress 
instead focuses directly on the behavior we are trying to stop: the use of unfair or 
deceptive means to install software on computers, as well as the unauthorized ac- 
quisition, use or commercialization of information from individuals. This is for ex- 
ample what section 2 and section 4(a) of your bill do. We commend you for the inclu- 
sion of such provisions, which strike at the heart of the spyware and harmful 
adware problem and which we believe would be useful tools in the hands of enforce- 
ment agencies. 

Such an approach significantly mitigates the risk that legislation may hamper or 
constrain the development and use of technology, while achieving your objective of 
protecting computer users. In addition, while products can be moved offshore and 
out of reach of our laws, the collection of information from computers within our 
borders is a problem that we can more easily and effectively address. 

Enable Anti-Spyware Companies to Continue to Best Protect Computer 
Users 

Developers of anti-spyware solutions are providing effective protection to com- 
puter users against online threats. Unfortunately, they are threatened with lawsuits 
for defamation and interference with their business by spyware and harmful adware 
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companies. These spurious threats force anti-spyware companies to divert precious 
resources to fight to protect themselves in Court. This is intended to disrupt and 
deter the development of tools that empower consumers to stop unwanted software 
from being put on their computers. 

BSA supports including in anti-spyware legislation what is often called a “Good 
Samaritan” provision. This would limit remedies against developers of anti-spyware 
tools. This would be far from unprecedented. In fact, Congress has repeatedly legis- 
lated targeted protection for a host of similarly beneficial activities, such as chari- 
table food donations, the use of Automated External Defibrillators, or liability aris- 
ing from sharing information about the Y2K problem. 2 Last but not least, in June 
of last year the House of Representatives supported, by an overwhelming majority 
of 368 to 48, H.R. 964, the Spy Act. The Spy Act includes such a Good Samaritan 
provision for anti-spyware activities. 

Mr. Chairman, I want to bring to your attention an important Federal court case, 
Zango v. Kaspersky. In August 2007, the U.S. District Court for the Western District 
of Washington ruled that the protection afforded by section 230(c)(2) of the Commu- 
nications Decency Act (CDA) of 1996 (47 U.S.C. 230), to providers of solutions that 
filter objectionable content, covers providers of anti-spyware solutions. 3 

Mr. Chairman, we understand why a former Attorney General like yourself would 
exercise caution in limiting judicial remedies. In fact, we are not seeking unlimited 
protection. We fully agree that good faith and due process must be applied by an 
anti-spyware provider when his product targets a software application for removal 
by the computer user. 

We believe that the protection provided by Congress in section 230(c)(2) of the 
CDA can only extend to software providers who are truly seeking to empower users 
to exercise control over objectionable content received over the Internet. This protec- 
tion does not apply if they are pursuing, for example, fraudulent or anti-competitive 
objectives (such as an anti-spyware company’s product blocking the installation of 
a competitor’s security solution.) 

Mr. Chairman, BSA believes that legislative codification of the Kaspersky ruling, 
including language that requires good faith and fair and effective dispute resolution 
would in fact exceed the safeguards provided by the House when it passed H.R. 964 
last year. It would thus provide a strong foundation for the Senate to work with 
the House toward enactment of legislation, which is a priority that BSA shares with 
you. 

Security and Anti-Piracy Activities Are Not Spyware 

Mr. Chairman, before I conclude my testimony, I would like to commend you for 
including in section 6(a) of your bill a provision allowing legitimate security and 
anti-piracy activities. 

This exemption has been supported at the Federal and state levels by a host of 
technology industry organizations representing telecom providers, cable companies, 
software producers, and Internet service providers. The activities in question are 
perfectly legitimate, such as diagnostics, network or computer security, repairs, net- 
work management, etc. All these activities are conducted by network administrators 
to maintain and secure their systems. 

Section 6(a) also covers the detection and prevention of the unauthorized use of 
software. This is essential to our industry’s ability to protect our products against 
theft. Software piracy results in almost $50 billion in losses to the software industry 
each year, including more than $8 billion in the U.S. alone. Given these massive 
losses, it is absolutely critical that companies that engage in otherwise lawful con- 
duct to detect or prevent piracy or other unlawful acts are not unwittingly subject 
to liability under anti-spyware laws. Section 6(a) is narrowly and carefully drafted 
to address this important goal. 

Certain interest groups may seek to drastically weaken or delete this provision. 
They may claim that it creates a license to snoop on people’s computers, shut down 


2 The Bill Emerson Good Samaritan Food Donation Act (42 U.S.C. 1791) precludes civil and 
criminal liability arising from food donated in good faith, except in cases of gross negligence or 
intentional misconduct. The Cardiac Arrest Survival Act of 2000 (42 U.S.C. 238q) precludes civil 
liability arising from any harm resulting from the use of an Automated External Defibrillator, 
except where there was no proper notification of emergency personnel, maintenance of the 
defibrillator or employee training. The Year 2000 Information and Readiness Disclosure Act (15 
U.S.C. 1) precludes liability arising from statements and disclosures regarding the Y2K problem, 
except in cases of recklessness or intent to deceive. 

3 Zango has appealed the ruling and BSA, as well as several other online consumer protection 
organizations such as the AntiSpyware Coalition (ASC), the Center for Democracy and Tech- 
nology (CDT) and the Electronic Frontier Foundation (EFF), have filed an Amicus Brief asking 
the Court of Appeals for the Ninth Circuit to affirm the District Court’s decision. 
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their IT networks, or circumvent state consumer protection, privacy, and contract 
laws. This is patently false. The provision does not go beyond limiting liability under 
your bill, and it limits liability under your bill only. Anyone who engages in an act 
that violates any other Federal or state law is and will remain fully liable under 
those laws. The purpose of weakening this provision is not to protect against 
spyware, but to make it harder for legitimate companies to fight piracy, or other 
fraudulent or illegal activities. The laudable anti-spyware goals of the Act should 
not be subverted for this purpose. 

Thank you again for this opportunity to comment on the issue of spyware and the 
Counter Spy Act. I would be happy to answer any question you may have. 

Senator Pryor. Well, thank you. 

Let me go ahead and start with you, Mr. Weafer, because I as- 
sume that your company has a working definition of spyware. Do 
you have a definition of spyware? 

Mr. Weafer. Yes, we do. 

Senator Pryor. And as I understand it, the Federal Trade Com- 
mission does not have an adequate definition of spyware; is that 
right? 

Mr. Weafer. That’s right. There are different definitions out 
there. One thing we have done as an industry is come together to 
try and create a common definition of spyware. So we’re part of a 
coalition, the Anti-Spyware Coalition. We have posted what we be- 
lieve is a shared and fair assessment of what spyware is. 

Even within that definition, there is some degree of what is in- 
cluded, what is considered personally identifiable information. We 
do believe there are fairly good standards relating to what is 
spyware and why the concern is there. 

Senator Pryor. So is there then an industry consensus on what 
spyware is and what it’s not? 

Mr. Weafer. We believe there is, even though there is probably 
some differences or subtleties in the language themselves. 

Senator Pryor. Do we have that definition? Have you provided 
that to the Committee? 

Mr. Weafer. If we haven’t, we will provide. 

Senator Pryor. That would be great because I think that would 
be helpful for us. 

If I may, Mr. Edelman, it sounds like you spend a lot of time try- 
ing to figure out what’s out there and you know how it infects peo- 
ple’s computers and what it does. Tell me what you’re seeing out 
there, two or three of the most prevalent forms of spyware that are 
currently infiltrating people’s computers? 

Dr. Edelman. Well, it’s easy to be complacent and think that the 
problem of unwanted pop-up ads is over. That’s not what I see in 
testing the sorts of websites where users get infected. I still see 
plenty of websites that will fill your computer with pop-ups and 
make money from those pop-ups through the biggest American ad 
networks out there. Maybe I shouldn’t name any names today, but 
you can imagine the sort of advertising intermediaries who fund all 
kinds of behavior on the web and, remarkably, continue to fund the 
pop-ups that users so despise. 

Separate from that, there are so-called market research compa- 
nies that track users’ behavior in great detail — every website you 
visit, every search you make, every product you buy, every product 
you look at but don’t buy. That’s a little spooky to me, frankly. I’m 
not sure I want those records about me kept anywhere. What if it 
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gets hacked? You know, what if that goes on the web somewhere 
and everyone can see it? 

Beyond that, I do see serious criminal enterprises taking over 
users’ computers, using them to send spam. I have to defend my 
computer so that when I allow my computer to be infected by 
spyware, it doesn’t go around sending spam. So there’s a little bit 
of complication even for me just in safely testing the software. 

Denial of service attacks. Often you’ll see programs that take 
over a user’s computer and use it to attack some other computer. 

All of these behaviors still remain prevalent, the same kinds of 
problems we were talking about 2 years ago, 3 years ago, 4 years 
ago still occurring, albeit some of them somewhat harder to track 
down. 

Senator Pryor. You mentioned that you go to the types of 
websites that will contain spyware. What types of websites typi- 
cally expose people to spyware? 

Dr. Edelman. Well, it can happen anywhere. You know, histori- 
cally there have been examples even of mainstream news sites 
being hacked so that they would distribute spyware. But the sites 
that I find the most reliable tend to be second-tier entertainment 
sites. There’s a wrestling site that is awfully effective at giving me 
spyware, with no offense intended to those who like professional 
wrestling, but this site isn’t the one to go to. Again, I’ll leave it 
unnamed. 

Sites and programs that provide assistance in downloading copy- 
righted music and videos, sometimes massive copyright infringe- 
ment frankly. You go to a site that purports to provide assistance 
in that regard and then you might or might not get the copyrighted 
material you were seeking, but in any event your computer would 
be destroyed, which certainly wasn’t part of the bargain that you 
were expecting. 

But again, it can happen anywhere and so we should not paint 
a picture of victims as somehow having brought this on themselves. 
Maybe in a few instances that’s the case, but as a general rule 
that’s really not true. 

Senator Pryor. Mr. Edelman, in your experience and in your 
opinion, is there any legitimate use for spyware? 

Dr. Edelman. The programs that people call spyware are such 
a broad swath of programs, it’s hard even to answer the question 
crisply. Is there any legitimate use for a program that takes over 
a user’s computer and uses it to send unsolicited commercial e-mail 
to a variety of recipients who never asked for it, without telling the 
user that their computer would be so used? Absolutely not. How 
about a program that monitors what you’re doing and shows pop- 
up ads? You know, some marketers say that that could be useful. 
You didn’t know that American Airlines existed until you went to 
United. corn and up came an ad for American Airlines, which, to be 
clear, they would never do because they are good advertisers and 
are actually very careful about that sort of thing. 

In principle, it could be good for competition, I guess, to have 
pop-ups telling users about alternatives. But in practice I’m pretty 
suspicious. I think these pop-ups tend to promote software and 
services that users don’t really want. If they want them they al- 
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ready know about them and no one wants to be interrupted by that 
sort of thing. So I don’t see a lot of use for it. 

Senator Pryor. Mr. Cerasale, are there legitimate purposes, le- 
gitimate uses for spyware? 

Mr. Cerasale. Well, again the term “spyware” means lots of 
things. Clearly, taking over someone’s computer and so forth, is 
just not allowed. That’s spyware, bad stuff. But certain toolbars, 
plug-ins, and web browsers, those types of things going on people’s 
computers clearly are things that individuals want and so forth. 

Looking at the definition of trying to be any kind of software, you 
even have requirements for e-mail notices. There are things called 
web beacons that are computer code, software code, to tell people 
whether or not an e-mail has been opened. Some of those things 
are used, for example, if there is a compelled e-mail notice to en- 
sure that you have informed individuals of this notification. Those 
kinds of web beacons and things of that sort are definitely helpful 
and helpful to meet legal requirements. 

So the definition — as you look at definition of what is spyware, 
and actually as you go down further, the definition of what is soft- 
ware, becomes very, very complicated. We have to be careful with 
that. If you look at the attachment to my testimony, the DMA 
Guidelines, we have a thing on the bottom, this does not include 
cookies or similar types of software, because we had difficulty try- 
ing to define this. 

As we go further along with new technology, I think just defining 
software becomes a major problem. There are things that go on 
people’s computers that can be easily defined as software, that are 
advantageous to them. Now, our guidelines would say you’ve got to 
allow me to take it off if I suddenly don’t want it. But that’s the 
kind of thing that we think is — there are some legitimate uses for. 

There are major, major illegitimate uses for it that are already 
illegal. Many of the things that have been said here are already 
under Section 5 of the FTC Act, would be barred in its own right. 

Senator Pryor. Does the Direct Marketing Association have a 
good and working definition of spyware? 

Mr. Cerasale. We do not. If you look at that, the attachment to 
my testimony, we just talk about computer software, “install soft- 
ware or other similar technology,” because we don’t know what’s 
coming next, and then define some of the bad practices. So that’s 
what we’ve done, and then defining if you’re going to put this soft- 
ware or similar technology on someone’s computer with notice, easy 
to uninstall, you have to let them know who it is and the privacy 
policy. That’s the way we had to go. We felt that trying to define 
software would in essence — was first of all very difficult to try and 
discern; but technology is going to change the definition of software 
as we move forward, and we want to — and I think that our decision 
was to focus more on the acts and try and stop that, no matter 
what means was used for it. 

Senator Pryor. Mr. Butler, do you have a good working defini- 
tion of spyware? Do you differentiate spyware from adware and 
other types of software? 

Mr. Butler. To us, spyware is software that is surreptitiously 
installed on someone’s computer, that allows the outsider to inter- 
cept or to seize even partial control over the user’s interaction with 
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the computer, without that user’s informed consent. Anything that 
meets that definition we think is spyware. 

Senator Pryor. Mr. Cerasale, you just heard his definition. You 
said the DMA doesn’t differentiate between different types of soft- 
ware, but based on that definition you just heard, are you aware 
of any legitimate purpose for that type of software, surreptitiously 
installed, et cetera, et cetera, like he said? 

Mr. Cerasale. As our guidance says, surreptitiously installed 
would violate our guidelines. So yes, that clearly fits within where 
DMA is. I think the one exception might be in an area where Mr. 
Butler and I would disagree, in areas of trying to look at anti-fraud 
areas, that that might be something where there may be an excep- 
tion here. But not talking about that, looking at it from that score, 
his definition, surreptitiously put on, would violate our guidelines, 
so even without our definition. 

Senator Pryor. Let me ask this also if I may, Mr. Cerasale. That 
is, a couple of the witnesses either in their written testimony or 
what they said here today encouraged us to focus on behavior, not 
technology. 

Mr. Cerasale. Correct. 

Senator Pryor. Is that where the direct marketers are as well? 

Mr. Cerasale. I believe so, yes. 

Senator Pryor. Because the technology will change, but we know 
that the type behavior that we want to prevent, presumably we 
know the type of behavior we want to prevent, but the technology — 
there are lots of different ways to get there; is that fair? 

Mr. Cerasale. That’s fair, and it may be tomorrow it will be 
something new. 

Senator Pryor. Mr. Butler, do you agree with that? 

Mr. Butler. I think so. 

Senator Pryor. Because I think what Senator Vitter said was 
that he was concerned about the definition and I think the idea, 
if I’m hearing the panel correctly, is that if you have a definition 
that’s really based on a technology or a specific process of some 
sort, that could change because some programmer out there could 
change that tomorrow and the law we pass today could be obsolete. 
But if we focus on, I guess, the end result and the behavior that 
we’re trying to prevent, then regardless of what technology gets us 
there, I think that gets us what we’re trying to do. 

Do you agree with that, Mr. Edelman? 

Dr. Edelman. I think that’s fine as far as it goes, but it’s still 
possible to be both over-inclusive and under-inclusive as to behav- 
iors. So it’s possible to write a list of 20 bad behaviors and miss 
three other behaviors that either the Committee didn’t notice or 
they haven’t started yet, but will start next week. 

Similarly, it’s possible for there to be some behavior for which 
the behavior itself is neither good nor bad; it’s the deceptive prac- 
tice of that behavior, doing it in a way that has a tendency to de- 
ceive, based on the totality of the circumstances, the context, the 
method in which it is promoted, the nature of the disclosure, the 
nature of the consent procedure. 

So the suggestion that behavior versus technology is the magic 
bullet that solves the bill’s problems, I’m not sure it gets you all 
the way there. 
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Senator Pryor. Mr. Rotenberg? 

Mr. Rotenberg. Senator, I’ve worked on quite a lot of privacy 
bills over the years and I just want to say I very much support 
your approach. By way of example, the Federal Privacy Act, the 
legislation that protects the privacy of citizens with respect to their 
records held by Federal agencies, was passed more than 30 years 
ago. It actually said almost nothing about technology. It spoke 
about the collection and use of personal data, who would have ac- 
cess to it, how you could obtain it, and what the penalties would 
be. It still works today. 

By comparison, the privacy provisions in the Cable Communica- 
tions Act of 1984, which are very good privacy provisions, was actu- 
ally quite specific about the type of industry that would be covered. 
In 1984 there was a clear understanding of what the cable industry 
looked like, what interactive television looked like, and what pri- 
vacy protection would require. 

Well, today we have a great deal of interactive media, but those 
provisions from 1984 no longer apply because they were too techno- 
logically specific. So I think we need to focus on the activity, and 
of course I think it’s possible by means of committee report or other 
means to give some examples. You can say with respect to current 
business practice, we want to prohibit surreptitious collection of a 
person’s personal data without their consent, and an example 
might be, and then we can talk about some of the things that are 
taking place right now. 

Senator Pryor. Well, I would hope that all the panelists here 
would help us as we work on this bill and help us make sure we 
get it right, because, assuming the Senate passes this and the 
House passes it and the President signs it, we are trying to address 
this problem, and a wrong definition or a wrong section in the bill 
could totally undermine the purpose of what we’re trying to do. 

So I’d love to have all of you help us draft this. You all raise good 
points. 

Let me ask, if I may, let me ask Mr. Weafer about the cost asso- 
ciated with a consumer having spyware on his computer and hav- 
ing to do something to get rid of that infection. What does it typi- 
cally cost John Q. Public out there when he’s on his computer? 
What does it typically cost him to get rid of the spyware once it 
has infected his computer? 

Mr. Weafer. There is two parts to that answer. One is the ac- 
tual physical damage, for example having to go in and remove pop- 
ups, unwanted software, which can range in terms of dollars from 
hundreds of dollars to thousands depending on how many ma- 
chines, whether it’s to be completely re-imaged, and who’s doing 
the work. 

The bigger, greater cost is really on the personal privacy. If data 
has been exposed or is assumed to be exposed, then the cost in 
terms of cleaning up their identity, their privacy, going after that, 
actually is very difficult to calculate. But I think that’s the greater 
concern and the greater danger to a lot of users. 

Senator Pryor. Will a software product sold by Symantec stop 
spyware from being added in the first place or does it remove it 
once it’s on there, or both? 
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Mr. Weafer. It tries to do both. So first of all, we’re really just 
trying to give the tools to the end-users to identify what’s on their 
machine. We classify according to large spyware, which is a general 
category of software, including actual spyware, remote access pro- 
grams, tracking tools, hacking tools, and information, preventing 
them getting on. They’re deemed to be high risk or low risk, to help 
the user. Then if they are on the system, helping them remove 
them from the system itself. 

In some cases we can actually work with the vendors. If they’ve 
got a reasonable uninstaller, we can actually just call that and that 
becomes the uninstallation. For some of the more malicious, insid- 
ious programs, we have to do it ourselves. 

Senator Pryor. Symantec has a number of competitors out there 
that are offering spyware protection as well, right? 

Mr. Weafer. That is correct. 

Senator Pryor. About how many are in that marketplace right 
now that are offering anti-spyware programs or software of some 
sort? 

Mr. Weafer. There is at least 20 major vendors who are offering 
similar programs. 

Senator Pryor. Which ones are the best? 

[Laughter.] 

Mr. Weafer. Symantec. I’m a little bit biased toward the Norton 
brand. 

Senator Pryor. I just couldn’t resist that one. 

But nonetheless, there may be some ways for some computer 
users to get anti-spyware software free, but a lot of people have to 
pay for it as well. It kind of depends on your situation. So defi- 
nitely there’s a lot of cost associated with this, not just to the ma- 
chine but also to your personal situation. 

Mr. Cerasale, you said in your testimony that you think the in- 
dustry — you prefer self-regulation, is that right? 

Mr. Cerasale. That’s correct. 

Senator Pryor. Well, when I hear the numbers of some of the 
statistics, I get the very distinct impression that self-regulation 
isn’t working. So do you disagree with me on that? 

Mr. Cerasale. I do. What we heard a lot of today and a lot of 
the statistics are basically criminal activity, activity that is decep- 
tive, activity that already violates Section 5 of the Act or other 
criminal codes. Self-regulation requires law enforcement to stop 
criminal activities. Self-regulation is not there and cannot be there 
to prevent criminal activity. 

I think the area we’re looking at and the area that we’re con- 
cerned in is going after the bad guys, the criminals, and being care- 
ful to protect the legitimate uses on the Internet that foster com- 
merce. And I think in that arena self-regulation works well, for 
DMA members to have to follow our guidelines, the ability for us 
to quickly change guidelines, to take a look at new technologies 
when they come up. We have our own ethics procedure to go after 
and try and stop certain activities. 

I think in that arena it works. It does not work in the criminal 
arena and we don’t intend it to, and we want you to give the FTC 
as much money as they can to go out and try and enforce it. 
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Senator Pryor. I do think one of the shortcomings of self-regula- 
tion is something you alluded to, and that is I think you have a 
lot of members who are acting responsibly and are out there trying 
to do the right thing and they’re legitimate companies trying to be 
in this for the long term. But not all direct marketers are members 
of the DMA and a lot of them don’t acknowledge or recognize or 
even consider your guidelines that you lay out. 

So this may be one of those situations where the good actors out 
there may have to undergo some additional regulation to try to get 
the bad actors out of the marketplace. 

Mr. Cerasale. We have supported legislation in the past, such 
as CAN-SPAM and in other areas, where we felt that self-regula- 
tion didn’t work, and we pledge and have in the past and continue 
to work with you on this legislation, with you and the Committee 
on this legislation, and others in this area. 

Our biggest concern is unintended consequences hurting legiti- 
mate business and that’s where we want to work. 

Senator Pryor. Mr. Weafer, let me ask another question of you, 
and that is — we have heard some statistics today that are helpful, 
but I’m curious about, from your company’s standpoint and just 
from your personal research and your experience, is spyware a 
growing problem? Is it becoming more prevalent or less prevalent? 

Mr. Weafer. In my opinion, the broader aspect of spyware is ac- 
tually becoming more prevalent. We’re seeing more and more 
spyware. Now, most of this is driven by the underground economy. 
A lot of it is the criminalization of this. We’re certainly seeing in 
many cases up to 500 percent year over year increases in the 
amount and variety of this type of spyware coming out. 

We are continuing to see the shady commercialization as well, 
which are programs which are continuing to drive pop-ups, pro- 
grams which are continuing to be fraudulent, programs which are 
still not giving users control, consent, and notification. So we do ap- 
plaud the self-regulation, but we want to see additional remedies 
on top of that. 

Senator Pryor. Well, I agree with you. I think that that’s what 
you’re seeing out there. I just know really anecdotally from talking 
to people — just as an example, not too long ago I was talking to 
someone about their computer and they were getting all these pop- 
ups. They were getting a new toolbar, they were getting all this 
stuff, and they didn’t know where it came from or how it came on 
there. 

It’s very frustrating for people. For most people, like for home 
use, your personal computer is your personal property and you 
don’t want it to be infected and somehow damaged by other people, 
and certainly you don’t want your personal information out there 
going to people that you don’t want to have it. 

So this is a serious problem. We do have this piece of legislation. 
All of you pointed out your thoughts on the legislation, even some 
of the shortcomings of the legislation. We appreciate that. We take 
all of that as constructive criticism. 

What we’re going to do is we’re going to take our legislation, 
we’re going to talk to the Members of the Committee, and we’re 
going to see if we can help shape it and get it in the type of form 
where it’s ready to move and move through the system. And hope- 
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fully some time in the next, I don’t know, several months, maybe 
the next year, we’ll have a very, very strong piece of legislation, 
very bipartisan, to try to make a big difference in the marketplace. 

So I just want you to know you’ve been a very important part 
of this process and we appreciate you. Like I said, we definitely 
would appreciate your input as we go along, and always feel free 
to share your opinions or give us your insights because we don’t 
claim the expertise here. We know who the experts are. 

So with that, what I’m going to do is I’m going to adjourn the 
hearing here in just 1 minute. But first let me say that we’re going 
to keep the record open and Senators may have additional ques- 
tions or follow-up questions. So we’ll get those to you and we’d love 
for you to get those back to us. We’ll try to leave the record open 
for 2 weeks, so if you could get those back to us as quickly as you 
can. 

Also, if there are documents — I think someone mentioned a study 
or some statistics or whatever it may be. If there are documents 
that you want to submit for the record, again the record will be 
open for 2 weeks and just get that to Committee staff and they’ll 
distribute it as it should be. 

So we appreciate your time, we appreciate you looking at the leg- 
islation, and we appreciate your being here today. With that, we’re 
going to adjourn the hearing, and just say thank you. 

[Whereupon, at 4:28 p.m., the hearing was adjourned.] 
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TRUSTe 

San Francisco, CA, June 24, 2008 

Hon. Mark Pryor, 

Chairman, 

Subcommittee on Consumer Affairs, Insurance, and Automotive Safety, 

U.S. Senate, 

Washington, DC. 

Dear Chairman Pryor, 

I am writing to respectively request that this letter be added to the official record 
of the Senate Commerce Committee’s hearing on June 11, 2008 entitled “The Impact 
and Policy Implications of Spyware on Consumers and Businesses.” 

I am the Vice President in charge of legal policy and compliance matters for 
TRUSTe. We are an independent, nonprofit organization with the mission of ad- 
vancing privacy and trust for a networked world. Through long-term supportive re- 
lationships with our licensees, extensive interactions with consumers in our Watch- 
dog Dispute Resolution program, and with the support and guidance of many estab- 
lished companies and industry experts, TRUSTe has earned a reputation as the 
leader in promoting privacy policy disclosures, informed user consent, and consumer 
education. 

TRUSTe applauds the Committee’s work on the issue of spyware. We have long 
articulated a public policy for privacy protection that incorporates the strength of 
government oversight, the discipline of industry self-governance, and the innovation 
of privacy-enhancing technology. 

In his testimony before the Committee on June 11, Jerry Cerasale, senior vice 
president of government affairs for the Direct Marketing Association, referenced the 
self regulatory work underway to develop standards for downloadable software. He 
spoke of the work that TRUSTe has undertaken to develop a program of best prac- 
tices. I would like to tell the Committee a little more about our Trusted Download 
Program. 

TRUSTe has partnered with major online consumer portals and other industry 
leaders to develop the Trusted Download Program, a standards and a certification 
program for downloadable consumer desktop applications. 

Program objectives: 

• Empower consumers to make informed decisions. 

• Establish the leading industry-wide standards for developers of downloadable 
applications. 

• Identify and elevate trustworthy consumer applications for distributors and 
marketers. 

• Protect the valued brands of online advertisers by enabling them to know which 
applications are trustworthy and which are not. 

The Trusted Download Program certification combines strict standards, thorough 
review, ongoing monitoring, enforcement mechanisms and powerful market incen- 
tives. 

The Program elevates those applications that meet the certification requirements 
through a whitelist, thereby providing consumer portals and other businesses a tool 
to distinguish responsible software applications. For downloadable desktop software 
developers, the program provides guidance on responsible behavior. A Trusted 
Download Seal at the point of download allows consumers to recognize applications 
that provide improved disclosures, more explicit control mechanisms, easier 
uninstall, and more respect for their personal information. 

Trusted Download Sponsors and Advisory Committee Members are CNET 
download.com, Microsoft, Yahoo!, and the Center for Democracy and Technology 
(CDT). 


(49) 
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Incentives for Compliance 

TRUSTe serves a “whitelist” of certified applications to advertisers, distributors, 
consumer portals and other interested parties. In a market where the conduct of 
partners can be as important as the conduct of your own organization, businesses 
are turning to TRUSTe to help determine which applications they want to be affili- 
ated with. The Program’s whitelist is regularly used to influence decisionmaking in 
advertising buys, bundling and distribution opportunities, and to resolve errant 
blacklistings. 

The whitelist, provides an economic incentive for software providers to achieve 
and maintain certification. In addition, the Trusted Download Seal at the point of 
download reassures consumers and increases downloads, providing a direct eco- 
nomic benefit to software developers. 

Scope 

While there are exceptions, the program is aimed at consumer downloadable desk- 
top software applications. It does not cover software downloaded exclusively to 
handheld devices (i.e., mobile phones). While there are additional specific require- 
ments for advertising and tracking software, many requirements also apply to all 
consumer downloadable applications. Advertising and tracking software providers 
will likely need to significantly change current practices to earn certification. In ad- 
dition, the program will provide standards for all applications to offer consumers en- 
hanced disclosures, easier uninstall and other benefits. 

Certification 

Application providers submit to TRUSTe a contract and a completed question- 
naire including questions about how the application is distributed. TRUSTe con- 
ducts a thorough evaluation of the downloadable applications against the program 
standards to ensure they do not involve activities that are prohibited by the Pro- 
gram. Additional compliance assurance is being provided by AppLabs, a third party 
software testing lab that will evaluate the application’s relay of information and 
interaction with the recipient’s operating system. 

Key Program Elements 

The Program outlines certain requirements for all software and specifies addi- 
tional requirements for advertising and tracking software. This approach ensures 
that the Program addresses practices that historically have created consumer confu- 
sion and anxiety. However, all software must meet specific program requirements 
and is tested for monitoring, relays, and behaviors that have historically been con- 
sidered deceptive. 

Notice 

The Program imposes a layered approach, via a primary notice and reference no- 
tices such as the End User License Agreement, EULA, and the privacy statement. 
The primary notice must explain functionalities that impact the consumer experi- 
ence and must be unavoidable, to ensure that users understand what they are 
downloading. EULAs and “opt-out” mechanisms are insufficient for providing such 
notice or obtaining consent. For example, unavoidable notice of any material 
changes to certain specified consumer settings is required for ail software. Further, 
all ads delivered in certified advertising software must be labeled, and unavoidable 
notice of certain ad features must be provided. 

Consent to Install is Required 

Consumers must be offered notice and an opportunity to consent that is described 
in plain language and is as prominently displayed as the option to not install, Con- 
sent to install may not be obtained with a pre-selected option. 

Easy Uninstall 

Instructions for uninstallation must be easy to find and easy to understand, and 
methods for uninstalling must be available in places where consumers are accus- 
tomed to finding them, such as the Add/Remove Programs feature in the Windows 
Control Panel, or the Add-On management menus in browsers for browser Add-Ons. 
Uninstallation must remove all software associated with the particular application 
being uninstalled (with a few specific exceptions carved out in the Program Require- 
ments), and cannot be contingent on a consumer’s providing Personally Identifiable 
Information, unless that information is required for account verification. 

Prohibited Activities 

No company can have an application certified if any of its applications exhibits 
a behavior listed in the Program’s Prohibited Activities section. 
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Examples of prohibited activities include: 

• Taking control of a consumer’s computer. 

• Modifying security or other settings of the computer to cause damage or harm. 

• Spyware tactics for surveillance and tracking, such as keystroke logging. 

• Preventing reasonable efforts to block installation or to uninstall. 

• Allowing a certified application to be bundled with any application currently en- 
gaging in any of the prohibited activities. 

Special Protections for Children 

Companies in the Program must prevent the distribution of their advertising or 
tracking software on children’s websites — including by prohibiting their distribution 
partners and affiliates from such distribution. 

Affiliate Controls 

Since many advertising and tracking applications are distributed through second 
and third-party affiliates and/or bundled with other programs; relationships must 
be disclosed in attestations. Certified software is subject to random testing on in- 
stances found wherever an individual might encounter them. 

Prior Behavior 

The Program includes provisional certification for companies that have previously 
engaged in prohibited activities or other behaviors that call into question the Par- 
ticipant’s ability to comply with the Program Requirements on an ongoing basis. In 
order to be certified, these companies will be subject to additional oversight includ- 
ing enhanced monitoring and a requirement to go back to all users who downloaded 
an uncertified version of the software application and obtain their opt-in consent. 

Segregated Ad Inventory 

Companies in the Program must maintain segregated ad inventory in certified 
versus uncertified applications. The application provider must be able to serve ads 
to users from whom consent was obtained versus users from whom consent has not 
been acceptably obtained. 


Monitoring 

Certified applications are monitored by TRUSTe for ongoing compliance with the 
Program’s strict standards. A company risks termination from the program if any 
one of its certified applications violates the standards. 


Enforcement 

If monitoring uncovers suspected non-compliance, an application, or in some cases 
all of a company’s applications, will be subjected to enforcement procedures by 
TRUSTe. Depending on severity and the results of a TRUSTe investigation, an ap- 
plication may be temporarily suspended or permanently removed from the program 
whitelist. In certain cases, a company or application may be terminated from the 
Program and the fact of its termination made public. 

I have attached a copy* of the Trusted Download Program certification require- 
ments to this letter and request that it also be included in the Committee’s spyware 
hearing record. 

TRUSTe appreciates your work in this area and would be pleased to serve as a 
resource should you or your staff have any questions. If you have any questions, 
please do not hesitate to contact me. 

Sincerely, 


John P. Tomaszewski, Esq. 

Vice President, Legal, Policy & Compliance. 


* This document is retained in the Committee files. 
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Americans for Fair Electronic Commerce Transactions (AFFECT) 

June 25, 2008 

Hon. Mark Pryor, 

U.S. Senate Committee on Commerce, Science, and Transportation, 

Washington, DC. 

Re: Follow-up Comments for the Record of the Hearing on the “Impact 
and Policy Implications of Spyware on Consumers and Businesses” 

Dear Senator Pryor: 

Thank you for the opportunity to submit additional comments on behalf of AF- 
FECT (Americans for Fair Electronic Commerce Transactions) on the impact and 
policy implications of spyware on consumers and businesses and on the Counter Spy 
Act (S. 1625). 

As I stated in my testimony during the June 11, 2008 hearing, AFFECT is con- 
cerned about the exception section of the Counter Spy Act, Section 6(a). That section 
says that the list of prohibited acts in Sections 3, 4, and 5 of the bill “do not apply 
to any monitoring of or interaction with, a subscriber’s Internet or other network 
connection or service, or a protected computer, by or at the direction of a tele- 
communications carrier, cable operator, computer hardware arc or software pro- 
vider, financial institution or provider of information services or interactive com- 
puter service . . .” 

These entities have immunity under the Counter Spy Act when what they’re 
doing is done for a number of innocuous-sounding purposes. The first nine of these 
liability exemptions include network or computer security, diagnostics, technical 
support, repair, network management, authorized updates of software or system 
firmware, authorized remote system management, authorized provision of protection 
for users of the computer from objectionable content, and authorized scanning for 
computer software used in violation of sections 3, 4, or 5 for removal by an author- 
ized user. 

As I said at the hearing, AFFECT sees no legitimate reason why any of these nine 
activities would need an exemption from the actions prohibited by the bill because: 

• none of them justifies an outside entity in installing zombies, engaging in mod- 
ern hijacking for the purpose of causing damage to the computer or causing the 
authorized user to incur unauthorized financial charges, causing a denial of 
service attack for the purpose of causing damage, causing endless loop pop-up 
ads (Section 3(1)); 

• none of them justifies an outside entity in modifying an authorized user’s secu- 
rity settings for the purpose of stealing the user’s sensitive personal informa- 
tion, or disabling security settings for the purpose of causing damage to the 
computer or another computer, or through unfair or deceptive means modifying 
browser settings (Section 3(2)); 

• none of them justifies, without authorization, an outside entity in preventing a 
user’s reasonable efforts to block installation, to disable, or to uninstall software 
by unfair or deceptive means (Section 3(3)); 

• none of them justifies an outsider in installing software that collects sensitive 
personal information from an authorized computer user without that user’s in- 
formed consent, logs keystrokes, collects and correlates personal information 
with a history of websites visited, extracts the substantive contents of files or 
communications, or prevents an authorized user from uninstalling or disabling 
software (Section 4); and, 

• none of them justifies an outsider in installing adware that conceals its oper- 
ation (Section 5). 

An exemption from the prohibited activities listed in the bill is simply not needed 
to allow or protect any legitimate activity. 

AFFECT is particularly concerned about Subsection 6(a)(10). That tenth and final 
exemption would be granted when the otherwise prohibited acts are done for: “detec- 
tion or prevention of the unauthorized use of software fraudulent or other illegal 
activities.” The troubling questions raised by 6(a)(10) were pointed out in my writ- 
ten testimony, namely that the exemption would allow a software vendor to surrep- 
titiously download code onto a user’s computer and freely violate their privacy. It 
would allow the provider to set itself up as an ad hoc police force to conduct 
warrantless searches and to act as judge and jury to conduct unilateral seizures. 
Private entities do not and should not have the right to conduct law enforcement 
activities. 

More troubling is the fact that the language of Subsection 6(a)(10) would effec- 
tively allow a software provider to unilaterally decide to remotely shut down the 
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user’s computer or Internet or other network connection or service. But whether the 
use of a particular software is “unauthorized,” “fraudulent,” or “illegal” is often sub- 
ject to legitimate dispute and merits some judicial consideration before a provider 
is allowed to unilaterally employ a drastic remedy like remote disablement. 

In his written testimony, Vincent Weafer, the Symantec vice president who was 
representing the Business Software Alliance (BSA) at the hearing, praised Section 
6(a)(10) as “essential to our industry’s ability to protect our products against theft. 
Software piracy results in almost $50 billion in losses to the software industry each 
year, including more than $8 billion in the U.S. alone. Given these massive losses, 
it is absolutely critical that companies that engage in otherwise lawful conduct to 
detect or prevent piracy or other unlawful acts are not unwittingly subject to liabil- 
ity under anti-spyware laws.” 

Contrary to Mr. Wearer’s statement, exemption from the prohibited actions listed 
in the bill is neither essential to a software vendor’s legitimate efforts to protect 
against piracy, nor is it essential to protect legitimate activities from liability under 
the bill. Software vendors have a variety of legal remedies to attack piracy. If a soft- 
ware contract, for example, an End User License Agreement (EULA), is breached, 
the vendor would have the right to sue and collect damages. It could seek an injunc- 
tion against further use. In addition, statutes, like the U.S. Copyright Act, or inter- 
national copyright laws, may grant other rights and remedies, including access to 
Federal court and statutory damages, perhaps even enforcement by the FBI. In ad- 
dition, the BSA itself is a well-known and very effective enforcement arm of the soft- 
ware industry. 

Further, there is no reason the software industry can’t employ technological ap- 
proaches to combating piracy without remotely accessing software resident on the 
user’s computer and unilaterally shutting it down. For example, the agreement be- 
tween the software vendor and the user could clearly provide for a limited period 
of use and a “time bomb” built into the software that disables its operation at the 
expiration of the named period of time. The parties then could agree that the period 
of limited use could be renewed by the user obtaining a “key” from the vendor or 
sending a “validation” to continue the use. 

It is not necessary to reach into a user’s computer, to poll the machine, extract 
data, and phone home. It is not necessary to build in a “backdoor” which will make 
the computer vulnerable to exploitation by spies, hackers, saboteurs, or terrorists. 
And, there is no legitimate reason why a software vendor, network provider, or 
other outside entity should be allowed to unilaterally decide to remotely shut down 
the user’s computer or Internet or other network connection or service. At a min- 
imum, a software vendor who thinks it has not been paid, should be required to give 
notice, an opportunity to cure, and obtain a court order before employing remote dis- 
ablement. 

The Business Software Alliance appears to want to use Section 6 of your bill to 
gain the approval of policymakers for their use of electronic self-help. The fact of 
the matter is that this is an anti-spyware bill, not a bill designed to address tools 
for dealing with piracy. 

During the hearing on June 11, you specifically asked for suggestions about how 
to define spyware. AFFECT offered the following definition: Spyware is computer 
software that is surreptitiously installed on a computer that allows an outsider to 
intercept or take partial control over the user’s interaction with the computer, with- 
out the user’s informed consent. We believe this definition is broad enough to cover 
technologies that arc deployed without appropriate user consent or are implemented 
in ways that impair user control over material changes that affect their experience, 
privacy, or system security; their use of their system resources, including what soft- 
ware is installed on their computers; and the collection, use, and distribution of 
their personal or other sensitive information. We also believe it should cover all of 
the prohibited behaviors currently listed in the bill. 

AFFECT also sees the merit in the suggestions of spyware expert Ben Edelman, 
who advocated for a simplification of the approach of S. 1625 that would focus on 
increasing the penalties such as a treble fine in FTC actions. That approach was 
also expressed by the FTC in its testimony. 

Finally, I want to express AFFECT’S support for the three key principles ex- 
pressed by Ms. Eileen Harrington, Deputy Director of the Bureau of Consumer Pro- 
tection of the FTC, in her written and oral statements: (1) a consumer’s computer 
belongs to him or her, not to the software distributor, and it must be the consumer’s 
choice whether or not to install software; (2) burying in an End User License Agree- 
ment (EULA) material disclosures necessary to correct an otherwise misleading im- 
pression should not be sufficient to allow a spyware purveyor to escape liability; and 
(3) a consumer should be able to uninstall or disable any program he or she does 
not want on a computer. 
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AFFECT has long favored a competitive and fair marketplace. A cornerstone of 
AFFECT’s efforts was the creation of “12 Principles for Fair Commerce in Software 
and Other Digital Products” (http://www.ucita.com/pdf/AFFECTbrochure2-05.pdf). 
Two of those key principles are that: (1) customers are entitled to control their own 
computer systems; and (2) customers arc entitled to control their own data. We be- 
lieve these two principles are consistent with the three expressed by Ms. Harrington 
and should guide the Committee and the Congress in shaping its approach to deal- 
ing with the insidious problem of spyware. 

Thank you very much for the opportunity to submit these additional comments 
for the hearing record. AFFECT remains willing and interested in working with the 
Committee on S. 1625 and will be glad to be of whatever help we can. 

Sincerely, 


Arthur A. Butler, 
Attorney, Ater Wynne LLP. 


Americans for Fair Electronic Commerce Transactions (AFFECT) Concerns 
with S. 1625, Section 6(a)(10) 

Americans for Fair Electronic Commerce Transactions (AFFECT) is a national co- 
alition of consumers, retail and manufacturing businesses, insurance institutions, fi- 
nancial institutions, technology professionals and librarians committed to promoting 
the growth of fair and competitive commerce in software and other digital products. 

S. 1625 (Pryor), introduced in June 2007, would protect against the unauthorized 
installation of software that is used to take control of a computer in order to cause 
damage, collect personal information without consent, or otherwise enable identity 
theft. 

AFFECT strongly supports S. 1625’s purpose to curb the use of harmful spyware. 
However, it has great concerns with S. 1625 (6), the exception section, which is over- 
ly broad and could be construed to protect wrongful acts that can result in great 
harm to computer users — which is in direct opposition to the purpose of S. 1625. 

AFFECT strongly recommends that the exception provision of S. 1625 should only 
limit liability for interaction with a network, service, or computer that is under- 
taken to detect or prevent fraudulent or other illegal activities as prohibited by the 
act itself. Therefore, AFFECT proposes that Section 6(a)( 10) of the bill be amended 
as follows: 

(10) detection or prevention of fraudulent or other illegal activities as prohibited 
by this Act. 

Subsection 6(a)(10), as it is currently written, would permit a provider to monitor 
or interact with an individual’s computer or Internet or other network connection 
or service for the “detection or prevention of the unauthorized use of software for 
fraudulent or other illegal activities.” This would allow the provider to unilaterally 
decide to remotely shut down the user’s computer or Internet or other network con- 
nection or service. But whether the use of a particular software is “unauthorized,” 
“fraudulent,” or “illegal” is often subject to legitimate dispute and merits some judi- 
cial consideration before a provider is allowed to unilaterally employ a drastic rem- 
edy like remote disablement. 

Permitting unilateral remote disablement is bad public policy. It allows the pro- 
vider to set itself up as an ad hoc police force to conduct warrantless searches and 
to act as judge and jury to conduct unilateral seizures in the name of protecting 
against piracy, fraud, or other illegal activities. Private entities do not and should 
not have the right to conduct law enforcement activities. 

Also, remote disablement can cause great harm to the owner who depends on ac- 
cess to and use of that computer, connection or service. 

• For example, the shutdown of an owner’s system can cause great harm to: 

° a teacher using a computer to prepare for classroom lectures; 

° an insurer depending on a computer system to pay claims; 

° a manufacturer trying to deliver its products to meet contractual commit- 
ments; or 

° the public’s access to online library materials. 

• In reaching into an individual’s computer remotely to disable software residing 
on his computer, the provider may not only violate privacy rights, but also dam- 
age his other files. 
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• The monitoring and remote disablement of software on an owner’s computer by 
a provider may compromise private information of employees, confidential and 
proprietary information of the owner, and, in some cases, national security in- 
formation. 

• The code used to remotely enter a computer and disable the software or the net- 
work connection (often called “black holes”) make the computer vulnerable to 
security breaches by hackers and terrorists. When there is an opportunity to ne- 
gotiate, many enterprises, including governmental entities, will insist that their 
software license agreements contain a warranty prohibiting any “self-help code” 
or other software routing designed to disable a computer program automatically 
or that is under the positive control of a person other than the licensee of the 
software. Unfortunately, with mass market licenses individual consumers and 
businesses are not able to negotiate for a “no self-help code.” 

It is important to recognize that these harms that can result from permitting re- 
mote disablement can be significantly larger than the harm to a software vendor 
in not getting a license fee. 


Response to Written Questions Submitted by Hon. David Vitter to 
Eileen Harrington 1 

Question 1. Who do you think would define “objectionable” in S. 1625 section 
6(a)(8), and what does that term mean? 

Answer. The term “objectionable content” is left undefined by the Counter Spy 
Act, S. 1625. Absent a clear definition in the bill, “objectionable content” will need 
to be interpreted by the courts. As drafted, however, “objectionable content” is suffi- 
ciently broad that it might include content or software (such as advertising soft- 
ware, toolbars, etc.) about whose value reasonable people may disagree. Accordingly, 
a covered party could have considerable discretion under the bill to identify and re- 
move software as “objectionable” without giving specific notice to, and perhaps 
against the intentions of, the consumer. 

Question 2. Under section 6(a)(9) of S. 1625, would a consumer’s purchase and use 
of a computer with pre-loaded operating system and anti-spyware software be suffi- 
cient “authorization” to allow some software to remove or disable other software on 
the computer without notifying the computer user or obtaining her consent? 

Answer. The Commission and the courts would need to approach scenarios like 
the one posed by Question 2 on a case-by-case basis, weighing the nature of the soft- 
ware and its potential for harm against the nature and timing of notice and con- 
sent — if any — provided. In the case of pre-installed anti-spyware software, we would 
need to know how much notice the consumer is given regarding the existence and 
function of the software, and whether the consumer is given notice before the anti- 
spyware software removes or disables other software on the computer. If any pre- 
installed software caused the type of harms outlined in sections 3, 4, or 5 of S. 1625, 
it is doubtful that the Commission would deem the mere acts of buying and turning 
on a computer to be sufficient “authorization.” 

Linking exemptions and immunity in section 6(a) to particular functions that are 
purportedly “authorized” poses the risk of creating a safe harbor based on unknow- 
ing authorization. For example, a software provider, an information services pro- 
vider, or an ISP might argue that a provision buried deep in an End User License 
Agreement or privacy policy provides sufficient authorization for much of the con- 
duct prohibited by the bill. 

Question 3. Should we be careful when providing (broad) exemptions or immunity 
for software removal, given the FTC actions against companies that might represent 
their software as legitimate “anti-spyware” in order to scam consumers? 

Answer. Yes. I share Senator Vitter’s concern that there is a need for caution in 
providing broad exemptions and immunity for software removal when addressing 
the problems of spyware. If not carefully drafted, these broad exemptions can create 
safe harbor loopholes that can be exploited by clever spyware and malware pur- 
veyors. Under the bill as drafted, virtually any “software provider” or “provider of 
information services” who can muster some plausible pretense of the list of the enu- 
merated services will raise the exemption as a defense to enforcement. 

Take the example of a purveyor of what has been termed “rogue anti-spyware” 
software. Rogue anti-spyware software is usually sold via deceptive tactics. A broad 


1 As with my responses to the Committee’s questions at the hearing, these answers present 
my personal views and do not necessarily represent the views of the Federal Trade Commission 
or of any Commissioner. 
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“anti-spyware” exemption may shield the rogue anti-spyware sellers from liability 
for their deceptive tactics. Moreover, it could potentially permit the seller to 
download other harmful software, such as a keylogger, if that seller can convince 
a court that the other harmful software in any way could be used to provide func- 
tions enumerated by sections 6(a)(1) through (10). 

If the main purpose of including section 6(a) is to limit liability among and be- 
tween civil litigants regarding questions about what is “authorized,” or what is “ob- 
jectionable” (e.g., where an anti-spyware company is sued by a software provider 
whose product is deemed objectionable), it is misplaced because S. 1625 does not 
provide a private right of action. Accordingly, such broad exemptions from law en- 
forcement in this legislation are unnecessary. At bottom, the broad scope of section 
6(a)’s limitations on liability — both in terms of the number of exempted parties as 
well as the breadth of the exempted conduct — may make the FTC’s job more chal- 
lenging and potentially do more harm than good in terms of effective spyware law 
enforcement. 


o 



